Zhi-Yu Peng,Shan-Ping Li

DOI: https://doi.org/10.1109/icmlc.2008.4620616

2008-01-01

Abstract:As pervasive computing leading to an increased collection of information in the computational world as well as the real world, privacy leaking becomes a serious issue. Although privacy protection has drawn great attention in recent years, the privacy-preserving trust management has not been brought forward. Credential chain discovery problem is the key issue in trust management, and traditionally credentials are full open in the whole system. This could expose users' access control policies as well as other private information, and leads to a great risk of being cheated by malicious users. This paper advocates a privacy-preserving credential chain discovery mechanism, in which credentials are no longer available to everyone. By merely learning credentials of one's logic neighbors, this mechanism still achieves good results. The simulations show that this mechanism is practical.

Peiru Li,Shanshan Li,Mengjie Ding,Jiapeng Yu,He Zhang,Xin Zhou,Jingyue Li

DOI: https://doi.org/10.1145/3530019.3531342

2022-01-01

Abstract:Hyperledger Fabric is another development of blockchain technology after Ethereum, which is more suitable as an operating platform for smart contracts. However, the testing technology of Hyperledger Fabric smart contracts (also known as chaincode) is not yet mature currently. Based on this, this paper studies the vulnerability detection of Golang chaincodes. Firstly, we summarize 17 kinds of Golang chaincode vulnerabilities by investigating existing research. Secondly, taking the high accuracy of dynamic detection and the high efficiency of static detection into consideration, we propose a chaincode vulnerability detection framework that combines the dynamic symbolic execution and the static abstract syntax tree analysis technology. We also implement a supporting-tool that can detect the above 15 types of vulnerabilities. Finally, we test the tool by 15 chaincodes collected from GitHub and unknown vulnerabilities were detected in 13 projects. The precision turned out to be 91% after manual inspection. In order to verify the recall rate, we manually inject 30 vulnerabilities into the collected chaincodes and all of them are detected. The evaluation results show the accuracy of the proposed vulnerability detection method for Hyperledger Fabric smart contracts.

Wei Liang,Yang Yang,Ce Yang,Yonghua Hu,Songyou Xie,Kuan-Ching Li,Jiannong Cao

DOI: https://doi.org/10.1109/tr.2022.3190932

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:With the advances and innovations in digital technologies, blockchain has empowered advancements in communications and networking, promising to build trust and establish secure decentralized communications networks. Unfortunately, current personal data privacy protection schemes still suffer from explicit storage, lack of data ownership and implementation of fine-grained access control by users, and lack of transparency and auditability of data. In this article, we propose a personal data privacy protection scheme based on consortium blockchain that stores original data encrypted with an improved Paillier homomorphic encryption mechanism, namely PDPChain, where users realize fine-grained access control based on ciphertext policy attribute-based encryption (CP-ABE) on blockchain. In this scheme, consortium blockchain combines distributed private clusters to store the encrypted data, improving data transmission efficiency, and guaranteeing user privacy and security through off-chain storage and on-chain transmission synergy. In addition, it is more lightweight encryption and demarcation, ultimately protecting personal data privacy and providing a secure and trusted way to obtain information for data mining. For the performance testing, data in the form of files are used as an example, and the scheme is designed and simulated on Hyperledger Fabric and InterPlanetary File System. Experimental results show that the improved Paillier encryption mechanism reduces the overall encryption and decryption elapsed time by 25 and encryption elapsed time by 48. Furthermore, the proposed CP-ABE access control method is adaptive to storing and sharing a massive amount of data. With the increase in the number of access control policies, the overall time-consuming of the scheme does not increase, and the time-consuming of decryption can also be stabilized at about 2 s.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Chaoqun Ma,Xiaolin Kong,Qiujun Lan,Zhongding Zhou

DOI: https://doi.org/10.1186/s42400-019-0022-2

2019-01-30

Abstract:Blockchain technology ensures that data is tamper-proof, traceable, and trustworthy. This article introduces a well-known blockchain technology implementation—Hyperledger Fabric. The basic framework and privacy protection mechanisms of Hyperledger Fabric such as certificate authority, channel, Private Data Collection, etc. are described. As an example, a specific business scenario of supply chain finance is figured out. And accordingly, some design details about how to apply these privacy protection mechanisms are described.

computer science, information systems, interdisciplinary applications, software engineering

Jiapeng Zhou,Yuxiang Feng,Zhenyu Wang,Danyi Guo

DOI: https://doi.org/10.3390/s21041540

2021-02-23

Abstract:The development of information technology has brought great convenience to our lives, but at the same time, the unfairness and privacy issues brought about by traditional centralized systems cannot be ignored. Blockchain is a peer-to-peer and decentralized ledger technology that has the characteristics of transparency, consistency, traceability and fairness, but it reveals private information in some scenarios. Secure multi-party computation (MPC) guarantees enhanced privacy and correctness, so many researchers have been trying to combine secure MPC with blockchain to deal with privacy and trust issues. In this paper, we used homomorphic encryption, secret sharing and zero-knowledge proofs to construct a publicly verifiable secure MPC protocol consisting of two parts-an on-chain computation phase and an off-chain preprocessing phase-and we integrated the protocol as part of the chaincode in Hyperledger Fabric to protect the privacy of transaction data. Experiments showed that our solution performed well on a permissioned blockchain. Most of the time taken to complete the protocol was spent on communication, so the performance has a great deal of room to grow.

Su Zhang,Ying Zhang

DOI: https://doi.org/10.1109/icws55610.2022.00043

2022-01-01

Abstract:Privacy leakage is a forever critical issue for data sharing and cooperation. Therefore, many Privacy-Preserving-Computation-aimed services (PPCS) are published to provide a secure environment in which data can be processed in its encrypted or opaque state by specific programs (i.e. PPCS program). However, PPCS programs still face the risk of privacy leakage due to the intentionally or careless designed privacy leakage vulnerabilities (PLV) that may leak sensitive data in the returned result. Unfortunately, traditional PLV-detection approaches like quantitative estimation and taint analysis become inefficient for these PLVs due to the extremely large input domain and the complex data-processing logic of PPCS programs. In this paper, we propose a fuzzing-based approach named FuzzLeaks to detect PLVs. It uses coverage-oriented fuzz testing to generate test cases for checking PPCS programs and thus to carry out leakage estimation to detect PLVs. It effectively quantifies privacy leakage under the extremely large input domain via path-sensitive byte-level entropy analysis, and handles the complex data-processing logic via input mutation based on dynamic information flow analysis. We implement FuzzLeaks and validate it on the PLDA data set and LAVA-M data set. The experimental results show that FuzzLeaks outperforms traditional approaches in accuracy by 35.72% on the PLDA dataset, and the dynamic-analysis-based mutation guidance adopted by FuzzLeaks can even resulted in 50 more non-PLV bugs found on the LAVA-M data set.

Yangsun Lee

DOI: https://doi.org/10.14704/web/v19i1/web19318

2022-01-20

Webology

Abstract:The hyperledger fabric is a modular blockchain framework used by private companies to develop blockchain-based products, solutions, and applications using plug-and-play components. The smart contracts operating in this framework is created by implementing a chaincode. When implementing a chaincode, there may be a security weakness inside the code, which is the root cause of the security vulnerability. However, when the contract is completed and the block is created, the chaincode cannot be arbitrarily modified, so the security weakness must be analyzed before execution. This paper conducted a study on chaincode intermediate code generation for security weakness analysis of chaincode operating in hyperledger fabric blockchain framework. Analysis of security weaknesses at the source code level is not easy because the code logic is not clear and the complexity is high. On the other hand, security weakness analysis at the intermediate code level is easy to analyze because the code logic of the source code is clearly represented and the complexity is lower than that of the source code.

Le-Jun Fan,Yuan-Zhuo Wang,Jing-Yuan Li,Xue-Qi Cheng,Chuang Lin

DOI: https://doi.org/10.1007/s11390-015-1601-7

IF: 1.871

2015-01-01

Journal of Computer Science and Technology

Abstract:Private information leak behavior has been widely discovered in malware and suspicious applications. We refer to such software as privacy leak software (PLS). Nowadays, PLS has become a serious and challenging problem to cyber security. Previous methodologies are of two categories: one focuses on the outbound network traffic of the applications; the other dives into the inside information flow of the applications. We present an abstract model called Privacy Petri Net (PPN) which is more applicable to various applications and more intuitive and vivid to users. We apply our approach to both malware and suspicious applications in real world. The experimental result shows that our approach can effectively find categories, content, procedure, destination and severity of the private information leaks for the target software.

Talgar Bayan,Richard Banach

DOI: https://doi.org/10.1109/SIST58284.2023.10223536

2023-05-02

Abstract:In recent years, permissionless blockchains have gained significant attention for their ability to secure and provide transparency in transactions. The development of blockchain technology has shifted from cryptocurrency to decentralized finance, benefiting millions of unbanked individuals, and serving as the foundation of Web3, which aims to provide the next generation of the internet with data ownership for users. The rise of NFTs has also helped artists and creative workers to protect their intellectual property and reap the benefits of their work. However, privacy risks associated with permissionless blockchains have become a major concern for individuals and institutions. The role of blockchain in the transition from Web2 to Web3 is crucial, as it is rapidly evolving. As more individuals, institutions, and organizations adopt this technology, it becomes increasingly important to closely monitor the new risks associated with permissionless blockchains and provide updated solutions to mitigate them. This paper endeavors to examine the privacy risks inherent in permissionless blockchains, including Remote Procedure Call (RPC) issues, Ethereum Name Service (ENS), miner extractable value (MEV) bots, on-chain data analysis, data breaches, transaction linking, transaction metadata, and others. The existing solutions to these privacy risks, such as zero-knowledge proofs, ring signatures, Hyperledger Fabric, and stealth addresses, shall be analyzed. Finally, suggestions for the future improvement of privacy solutions in the permissionless blockchain space shall be put forward.

Cryptography and Security,Software Engineering

Qingsong Yao,Jinsong Han,Yong Qi,Lei Yang,Yunhao Liu

DOI: https://doi.org/10.1109/ICPP.2011.52

2011-01-01

Abstract:Existing RFID Privacy-Preserving Authentication (PPA) solutions mainly focus on the design of crypto based interactive protocols between readers and tags. Although the cryptographic mechanisms enable randomization and enhance protocol-level privacy, the access mode in RFID systems is less random and may leak private information. We introduce anew attack based on such privacy leakage in access mode, where we show that the mainstream RFID PPA protocols, including the linear, tree-based, and synchronization-based solutions, are not private. We also show that this new attack is easy to conduct, e.g., we can track tags that employ typical tree-based PPA protocols without the need of compromising tags. We discuss the applicability of the attack. Moreover, we provide useful recommendations to strengthen existing PPA protocols in defending against such attacks. The simulation results demonstrate the practicability and effectiveness of this attack.

Yun Feng,Baoxu Liu,Xiang Cui,Chaoge Liu,Xuebin Kang,Junwei Su

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00144

2018-08-01

Abstract:PDF is extensively employed worldwide in the current time. A vast number of PDF are disseminated over the Internet during people's exchange of documents. The private information that is hidden in PDF document structure is revealed with documents, which causes privacy leakage. To systematically analyze and address the issues, we conduct a series of studies. We find possible sources of PDF personal privacy leaks and design a methodology to extract and recognize sensitive information automatically. Our methodology is helpful for users to check whether their PDF documents contain privacy information prior to transmission via the Internet. We conduct an experiment, and the results indicate the effectiveness of our method. We then experiment tens of thousands of benign and malicious PDF documents gathered from multiple sources around the world to analyze the current privacy leakage situation of PDF documents. Our analysis demonstrates that nearly 70% of people lack the awareness of privacy protection when employing PDF documents. We also discuss the special usage of our method in cyberattack attribution.

Hanyang Yuan,Jiarong Xu,Cong Wang,Ziqi Yang,Chunping Wang,Keting Yin,Yang Yang

2024-07-26

Abstract:The public sharing of user information opens the door for adversaries to infer private data, leading to privacy breaches and facilitating malicious activities. While numerous studies have concentrated on privacy leakage via public user attributes, the threats associated with the exposure of user relationships, particularly through network structure, are often neglected. This study aims to fill this critical gap by advancing the understanding and protection against privacy risks emanating from network structure, moving beyond direct connections with neighbors to include the broader implications of indirect network structural patterns. To achieve this, we first investigate the problem of Graph Privacy Leakage via Structure (GPS), and introduce a novel measure, the Generalized Homophily Ratio, to quantify the various mechanisms contributing to privacy breach risks in GPS. Based on this insight, we develop a novel graph private attribute inference attack, which acts as a pivotal tool for evaluating the potential for privacy leakage through network structures under worst-case scenarios. To protect users' private data from such vulnerabilities, we propose a graph data publishing method incorporating a learnable graph sampling technique, effectively transforming the original graph into a privacy-preserving version. Extensive experiments demonstrate that our attack model poses a significant threat to user privacy, and our graph data publishing method successfully achieves the optimal privacy-utility trade-off compared to baselines.

Machine Learning,Social and Information Networks

Takio Uesugi,Yoshinobu Shijo,Masayuki Murata

DOI: https://doi.org/10.48550/arXiv.2004.07606

2020-04-16

Cryptography and Security

Abstract:Securing the traceability of products in the supply chain is an urgent issue. Recently, supply chain systems that use public blockchain (PBC) have been proposed. In these systems, PBC is used as a common database shared between supply chain parties to secure the integrity and reliability of distribution information such as ownership transfer records. Thus, these systems secure a high level of traceability in the supply chain. However, the distribution information, which can be private information, is made public since the information recorded in PBC can be read by anyone. In this paper, we propose a method for preserving privacy while securing traceability in a supply chain system using PBC. The proposed method preserves privacy by concealing the distribution information via encryption. In addition, the proposed method ensures distribution among legitimate supply chain parties while concealing their blockchain address by using a zero-knowledge proof to prove their authenticity. We implement the proposed method on Ethereum smart contracts and evaluate cost performance based on transaction fees. The results show that the fee per party is at most 2.6 USD.

Wei Liang,Yaqin Liu,Ce Yang,Songyou Xie,Kuanching Li,Willy Susilo

DOI: https://doi.org/10.1145/3676164

IF: 16.6

2024-07-27

ACM Computing Surveys

Abstract:Blockchain is a decentralized distributed ledger that combines multiple technologies, including chain data structures, P2P networks, consensus algorithms, cryptography, and smart contracts. This gives the blockchain the characteristics of decentralization, immutability, and traceability. However, blockchain stores smart contracts and transactions in blocks publicly, which poses the risk of data leakage and misuse. For example, by mining and analyzing blockchain transaction information, attackers can correlate transactions with user information, resulting in the disclosure of user privacy. Many current reviews focus on the privacy of permissionless blockchains or cryptocurrencies, requiring more in-depth investigations and detailed categorical analysis. To fill this gap, this work comprehensively reviews the latest and traditional methods related to identity, transaction, and smart contract privacy within permissioned and permissionless blockchains. Additionally, we summarize the existing problems, threats, and challenges of data management in different blockchain architectures. Last, we discuss future research directions for blockchain privacy protection technology, which can offer feasible ideas for researchers to explore further.

computer science, theory & methods

Yuxian Li,Jian Weng,Wei Wu,Ming Li,Yingjiu Li,Haoxin Tu,Yongdong Wu,Robert.H. Deng

DOI: https://doi.org/10.1016/j.jpdc.2023.104721

IF: 4.542

2023-06-03

Journal of Parallel and Distributed Computing

Abstract:Blockchain systems, one of the most popular distributed systems, are well-applied in various scenarios, e.g., logistics and finance. However, traditional blockchain systems suffer from scalability issues. To tackle this issue, Payment Channel Hubs (PCHs) are proposed. Recent efforts, such as A2L (SP'21) and Teechain (SOSP'19), enhance the privacy, reusability, and interoperability properties of PCHs. Nevertheless, these solutions have intrinsic limitations: they rely on trusted hardware or suffer from the deposit lock-in problem. Furthermore, the functionalities of some of these solutions are restricted to fixed-amount payments and do not support multi-party participation. These aforementioned problems limit their capabilities to alleviate blockchain scalability issues. In this paper, we propose PRI, a novel PCH solution that simultaneously guarantees transaction P rivacy (i.e., relationship unlinkability and value confidentiality), deposit R eusability, and blockchain I nteroperability, which can mitigate the aforementioned problems. PRI is constructed by several new building blocks, including (1) an atomic deposit protocol that enforces user and hub to deposit equivalent assets in a shared address for building a fair payment channel; (2) a privacy-preserving deposit certification scheme that leverages the Pointcheval and Sanders signature and non-interactive zero-knowledge proof to resolve the deposit lock-in issue in maintaining payment channels; (3) a range proof which ensures the legality and confidentiality of transaction values. We conduct extensive experimental evaluations of PRI, demonstrating that it improves the state-of-the-art approaches in terms of performance.

computer science, theory & methods

Tobias Guggenberger,Johannes Sedlmeir,Gilbert Fridgen,André Luckow

DOI: https://doi.org/10.1016/j.cie.2022.108716

2022-11-01

Abstract:Private permissioned blockchains are deployed in ever greater numbers to facilitate cross-organizational processes in various industries, particularly in supply chain management. One popular example of this trend is Hyperledger Fabric. Compared to public permissionless blockchains, it promises improved performance and provides certain features that address key requirements of enterprises. However, also permissioned blockchains are still not as scalable as centralized systems, and due to the scarcity of theoretical results and empirical data, their real-world performance cannot be predicted with the necessary precision. We intend to address this issue by conducting an in-depth performance analysis of Hyperledger Fabric. The paper presents a detailed compilation of various performance characteristics using an enhanced version of the Distributed Ledger Performance Scan (DLPS). Researchers and practitioners alike can use the various performance properties identified and discussed as guidelines to better configure and implement their Hyperledger Fabric network. Likewise, they are encouraged to use the DLPS framework to conduct their measurements.

computer science, interdisciplinary applications,engineering, industrial

Huaijin Wang,Zhibo Liu,Yanbo Dai,Shuai Wang,Qiyi Tang,Sen Nie,Shi Wu

2024-12-02

Abstract:Software composition analysis (SCA) denotes the process of identifying open-source software components in an input software application. SCA has been extensively developed and adopted by academia and industry. However, we notice that the modern SCA techniques in industry scenarios still need to be improved due to privacy concerns. Overall, SCA requires the users to upload their applications' source code to a remote SCA server, which then inspects the applications and reports the component usage to users. This process is privacy-sensitive since the applications may contain sensitive information, such as proprietary source code, algorithms, trade secrets, and user data. Privacy concerns have prevented the SCA technology from being used in real-world scenarios. Therefore, academia and the industry demand privacy-preserving SCA solutions. For the first time, we analyze the privacy requirements of SCA and provide a landscape depicting possible technical solutions with varying privacy gains and overheads. In particular, given that de facto SCA frameworks are primarily driven by code similarity-based techniques, we explore combining several privacy-preserving protocols to encapsulate the similarity-based SCA framework. Among all viable solutions, we find that multi-party computation (MPC) offers the strongest privacy guarantee and plausible accuracy; it, however, incurs high overhead (184 times). We optimize the MPC-based SCA framework by reducing the amount of crypto protocol transactions using program analysis techniques. The evaluation results show that our proposed optimizations can reduce the MPC-based SCA overhead to only 8.5% without sacrificing SCA's privacy guarantee or accuracy.

Software Engineering,Cryptography and Security

Tianpei Lu,Bingsheng Zhang,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3284565

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Privacy concerns often raise when sensitive data are collected, traded, and processed. The data owner typically loses her ultimate control of the data after data-outsourcing. In this work, we present the PrivData Network – a community-controlled privacy-preserving data factory and trading market. It can be viewed as a standalone data ecosystem that enables privacy-preserving data-driven workflows in a controlled environment for orchestrating and automating data movement and data transformation. In particular, we design a data encapsulation mechanism with privacy assurance, which can guarantee data privacy, usage policy compliance and metadata validity. We also design a privacy policy language and utilize a static analysis library that transfers the program to the defined policy language. To ensure the correctness of data processing, we propose a publicly verifiable secure multiparty computation protocol for mixed circuits, which guarantees the output correctness even if all parties are corrupted. Its online efficiency is comparable to conventional semi-honest secret-sharing-based MPC schemes. Finally, we implemented a prototype of our system in C++ and benchmark it on various tasks, such as biometric matching, logistic regression, and decision trees, etc.

Sheng Peng,Linkai Zhu,Shanwen Hu,Zhiming Cai,Wenjian Liu

DOI: https://doi.org/10.3390/math12101481

IF: 2.4

2024-05-11

Mathematics

Abstract:Blockchain technology, initially developed as a decentralized and transparent mechanism for recording transactions, faces significant privacy challenges due to its inherent transparency, exposing sensitive transaction data to all network participants. This study proposes a blockchain privacy protection algorithm that employs a digital mutual trust mechanism integrated with advanced cryptographic techniques to enhance privacy and security in blockchain transactions. The contribution includes the development of a new dynamic Byzantine consensus algorithm within the Practical Byzantine Fault Tolerance framework, incorporating an authorization mechanism from the reputation model and a proof consensus algorithm for robust digital mutual trust. Additionally, the refinement of homomorphic cryptography using the approximate greatest common divisor technique optimizes the encryption process to support complex operations securely. The integration of a smart contract system facilitates automatic and private transaction execution across the blockchain network. Experimental evidence demonstrates the superior performance of the algorithm in handling privacy requests and transaction receipts with reduced delays and increased accuracy, marking a significant improvement over existing methods.

mathematics

Wen Ming Liu,Lingyu Wang,Pengsu Cheng,Kui Ren,Shunzhi Zhu,Mourad Debbabi

DOI: https://doi.org/10.1109/tdsc.2014.2302308

2014-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:While web-based applications are gaining popularity, they also pose new security challenges. In particular, Chen et al. recently revealed that many popular Web applications actually leak out highly sensitive data from encrypted traffic due to side-channel attacks using packet sizes and timing [1]. They further demonstrated that existing solutions usually incur a high overhead while still not guaranteeing privacy protection. In this paper, we observe a striking similarity between this issue and another well studied problem, privacy-preserving data publishing (PPDP). Based on such a similarity, we propose a formal model for privacy-preserving traffic padding (PPTP) that encompasses privacy requirement, padding cost, and padding methods.