Efficient Cryptographic Constructions For Resource-Constrained Blockchain Clients

Duc Viet Le (11191410)

28 July 2021

<div><div>The blockchain offers a decentralized way to provide security guarantees for financial transactions. However, this ability comes with the cost of storing a large (distributed) blockchain state and introducing additional computation and communication overhead to all participants. All these drawbacks raise a challenging scalability problem, especially for resource-constrained blockchain clients. On the other hand, some scaling solutions typically require resource-constrained clients to rely on other nodes with higher computational and storage capabilities. However, such scaling solutions often expose the data of the clients to risks of compromise of the more powerful nodes they rely on (e.g., accidental, malicious through a break-in, insider misbehavior, or malware infestation). This potential for leakage raises a privacy concern for these constrained clients, in addition to other scaling-related concerns. This dissertation proposes several cryptographic constructions and system designs enabling resource-constrained devices to participate in the blockchain network securely and efficiently. </div><div><br></div><div>Our first proposal concerns the storage facet for which we propose two add-on privacy designs to address the scaling issue of storing a large blockchain state. </div><div>The first solution is an oblivious database framework, called T³, that allows resource-constrained clients to obliviously fetch blockchain data from potential malicious full clients. The second solution focuses on the problem of using and storing additional private-by-design blockchains (e.g., Monero or ZCash) to achieve privacy. We propose an add-on tumbler design, called AMR, that offers privacy directly to clients of non-private blockchains such as Ethereum without the cost of storing and using different blockchain states.</div><div><br></div><div>Our second proposal addresses the communication facet with focus on payment channels as a solution to address the communication overhead between the constrained clients and the blockchain network. A payment channel enables transactions between arbitrary pairs of constrained clients with a minimal communication overhead with the blockchain network. However, in popular blockchains like Ethereum and Bitcoin, the payment data of such channels are exposed to the public, which is undesirable for financial applications. Thus, to hide transaction data, one can use blockchains that are private by design like Monero. However, existing cryptographic primitives in Monero prevent the system from supporting any form of payment channels. Therefore, we present <i>Dual Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (DLSAG),</i> a linkable ring signature scheme that enables, for the first time, off-chain scalability solutions in Monero. </div><div><br></div><div>To address the computation facet, we address the computation overhead of the gossip protocol used in all popular blockchain protocols. For this purpose, we propose a signature primitive called <i>Flexible Signature</i>. In a flexible signature scheme, the verification algorithm quantifies the validity of a signature based on the computational effort performed by the verifier. Thus, the resource-constrained devices can partially verify the signatures in the blockchain transactions before relaying transactions to other peers. This primitive allows the resource-constrained devices to prevent spam transactions from flooding the blockchain network with overhead that is consistent with their resource constraints. </div></div>

Computer System Security

blockchain

cryptography

Oblivious Database

resource-constrained devices

OPTIPAC: A User-Oriented Computer System for Optimization in Engineering Design

McDonald, John Franklin

05 1900

<p> A description is given of the multi-technique nonlinear optimization system called OPTIPAC.</p> <p> The overall organization of the program is outlined and the significant features of each of the method subroutines are discussed. Considerable emphasis has been placed on the documentation for the system, and the two manuals which have been written are described briefly. The results of three test problems are included to demonstrate the value of having a variety of techniques in the package.</p> <p> A preliminary evaluation of OPTIPAC's performance is given, with relevant suggestions for further development.</p> / Thesis / Master of Engineering (MEngr)

An Analysis of Cyberbullying Policies In Virginia Public School Districts

Poole, G. Wesley

30 December 2010

The study examines the acceptable computer system use policies of each of the public school districts in the Commonwealth of Virginia, as well as the Virginia School Boards Association and the National School Boards Association policies as they relate to cyberbullying. Public middle school and public secondary school administrators across the Commonwealth were surveyed to determine to what extent cyberbullying is an issue in their schools, and to determine their views of their districts' current policies and procedures as they relate to cyberbullying. The study addresses the legal framework, based upon case law and statutory law that school districts must work within to balance students' free speech rights without abandoning the need to provide a safe and controlled learning environment. The study examines five arenas of students' First Amendment rights as they relate to cyberbullying with particular attention paid to Internet Service Provider liability, including: 1) form of the speech, political or obscene, 2) school-sponsored speech, 3) severity of the disruption caused by the incident, 4) site(s) of the incident, and 5) if the incident rises to the level of a true threat. The study evaluates existing school district policies in addition to public school administrators' perceptions relative to related statutory and case law in order to formulate a model policy that is legally defensible and would be appropriate for adoption by Virginia public school districts. / Ed. D.

Cyberbullying

First Amendment Speech Rights

Acceptable Computer System Use Policies

Implementation and Evaluation of an Algorithm for User Identity and Permissions for Situational Awareness Analysis

Tolley, Joseph D.

04 1900

The thesis analyzes the steps and actions necessary to develop an application using a user identity management system, user permissions system, message distribution system, and message response data collection and display system to deliver timely command and control of human assets and the input of intelligence in emergency response situations. The application, MinuteMan, uniquely manages messages sent between multiple users and their parent organizations. Specifically, messages are stored, managed, and displayed to managers based on the hierarch or organizational rank as well as situational allowances of the users sending and receiving messages and permissions. Using an algorithm for user identity and permissions for situational awareness analysis, messages and information is sent to multiple addressees in an organization. Responses are correlated to the rank of the responding recipients in the organization, to assist the users and the parent organizations to identify which responses to have been read. Receipt of the messages is acknowledged before the message can be fully read. Responses to the messages include a selection of a user status from a preset choice of statuses, and may include other response attributes required or offered by the sender of the message. The locations of responding and non-responding addresses can be mapped and tracked. The resulting solution provides improved situational awareness during emergency response situations. / M.S. / The thesis analyzes the steps and actions necessary to develop an application using a user identity management system, user permissions system, message distribution system, and message response data collection and display system to deliver timely command and control of human assets and the input of intelligence in emergency response situations. Using an algorithm for user identity and permissions for situational awareness analysis, messages and information are sent to multiple user addressees for individuals supporting an organization. Responses are correlated to the rank of the responding recipient in the organization, and to assist the senders of the messages to identify which responses to read by the targeted recipients. Receipt of the messages is acknowledged before the message can be fully read. Responses to the messages include a selection of a user status from a preset choice of statuses, and may include other response attributes required or offered by the sender of the message. The locations of responding and non-responding addresses can be mapped and tracked. The resulting solution provides improved situational awareness during emergency response situations.

emergency response

computer system

mobile device

organization

identity

user permissions

A virtual intergrated networks emulator on xen (viNex)

Mukwevho, Mukosi Abraham

11 1900

Network research experiments have traditionally been conducted in emulated or simulated environments. Emulators are frequently deployed on physical networks. Network simulators provide a self-contained and simple environment that can be hosted on one host. Simulators provide a synthetic environment that is only an approximation of the real world and therefore the results might not be a true re ection of reality. Recent progress in virtualisation technologies enable the deployment of multiple interconnected, virtual hosts on one machine. Virtual hosts run real network protocol stacks and therefore provide an emulated environment on a single host. The rst objective of this dissertation is to build a network emulator (viNEX) using a virtualisation platform (XEN). The second objective is to evaluate whether viNEX can be used to conduct some network research experiments. Thirdly, some limitations of this approach are identified / Computing / M. Sc. (Computer Science)

Virtual computer system

004.6

Computer science

Local area networks (Computer networks)

Enhanced font services for X Window system

Tsang, Pong-fan, Dex, 曾邦勳

January 2000

published_or_final_version / Computer Science and Information Systems / Master / Master of Philosophy

X Window System (Computer system)

Data structures (Computer science)

Cache memory.

Coal mine ventilation: a study of the use of ventilation in the production zone

Feroze, Tariq

January 2016

A thesis submitted to the Faculty of Engineering and the Built Environment, University of the Witwatersrand, Johannesburg, in fulfilment of the requirements for the degree of Doctor of Philosophy. Johannesburg, 2016 / The blind headings created in room and pillar mining are known to be the high risk areas of the coal mine, since this is where the coal production is actually taking place and hence the liberation of maximum quantity of methane. The ventilation of this region called the localized ventilation is carried out using auxiliary ventilation devices. This ventilation may be planned and be the subject of mine standards, but it is not very well understood and implementation on a day to day basis is usually left to the first level of supervisory staff. Majority of the methane explosions have been found to occur in these working areas and blind headings. The correct use of auxiliary ventilation devices can only be carried out once the effect of the system variables associated with each device is very well understood and can be calculated mathematically. Presently, no mathematical models or empirical formulas exist to estimate the effect of the associated system variables on the flow rates close to the face of the heading. The extent of ventilation of a heading ventilated without the use of any auxiliary device is not clear. Furthermore, to design additional engineering solutions, the flow patterns inside these heading ventilated with the auxiliary ventilation devices needs to be understood. The study of the face ventilation systems and the effect of the system variables associated system with each auxiliary ventilation device can be carried out experimentally, but doing a large number of experiments underground is very difficult as it disturbs the mine production cycles. Furthermore, studying the flow patterns experimentally is even more cumbersome, and can only be done to some extent using smoke or tracer gas. Therefore, Computational Fluid Dynamic‟s (CFD) advanced numerical code ANSYS Fluent was used to study the effect of a number of system variables associated with the face ventilation systems used in blind headings. As part of the procedure, the CFD model used was validated using four validation studies, in which the numerical results were compared with the actual experimental results. The numerical results differed to a maximum of 10% for all the experimental results. The system variables associated with ventilation of a heading, without the use of any auxiliary device, with the use of Line Brattice (LB) and fan with duct were selected. A range of values was chosen for each variable, and scenarios were created using every possible combination of these variables. All the scenarios were simulated in Ansys Fluent, the air flow rates, air velocities, velocity vectors, and velocity contours were calculated and drawn at different locations inside the heading. The effect of each system variable was found using a comparative analysis. The results were represented in simple user-friendly form and can be used to estimate the air flows at the exit of the LB and face of the heading for various settings of the LB and fan and duct face ventilation systems. The analysis of the ventilation of a heading without the use of LB shows that a maximum penetration depth is found with the Last Through Road (LTR) velocity of 1.35m/s. The flow rates and the maximum axial velocities increase with the increase in the LTR velocity up to a depth of 10m (maximum air flowing into a heading of 1.26m3/s and 1.58m3/s is found for the 3m and 4m high heading using 2m/s LTR velocity). For the LB ventilation system the LTR velocities, heading height, length of the LB in the LTR and heading, angle of the LB in LTR, and distance of the LB to the wall of the heading (side wall) were varied to identify clearly the effect of these control variables, on the flow rate at the exit of the LB, and close to the face of the heading. The flow rate at the exit of the LB is found to be proportional to the product of the distance of the LB to the wall in the LTR and heading. The flow rate at the exit of the LB, face of the heading, and inside the heading is found proportional to the LTR velocity and height of the heading. It is found that a minimum length of LB is associated with each distance of the LB to the wall in the heading, to maximize the delivery of air close to the face of the heading. This length is found to be equal to 15m for 1m LB to wall distance, and 10m for 0.5m LB to wall distance. Mathematical models were developed to estimate the effect of each studied system variables on the flow rates at the exit of the LB and close to face of the heading. For the fan and duct systems the length, diameter, and the fan design flow rates were varied. It is found that for a force fan duct system only a maximum of 50% of the total air that reaches the face is fresh and the remaining 50% is recirculated air. The flow rate with the exhaust fan system is found to be much lower than the force fan duct system. It increases with the reduction in duct mouth to heading face distance, and increase in duct diameter. Mathematical models are developed to calculate the flow rates at the face of the heading using the effect of each studied system variable. The research reveals that the ANSYS numerical code is an appropriate tool to evaluate the face ventilation of a heading in a three dimensional environment using full scale models. The South African coal mining industry can benefit from the outcomes of this study, specially the mathematical models, in a number of ways. Ventilation engineers can now estimate the flow rates close to the face of the heading for different practical mining scenarios and ensure sufficient ventilation by using the appropriate auxiliary ventilation settings. The results can easily be developed into training aids using easy to use excel spread sheets to ensure that mineworkers at the coal face have a better understanding of the working of the auxiliary ventilation devices. It can also serve Academia as part of the curriculum to teach the future mining engineers how the different variables associated with the auxiliary ventilation system affect the ventilation in a heading. The research therefore, has the potential to provide a significant step toward, understanding airflow rates delivered by the auxiliary devices close to the face of the heading and the air flow patterns inside the heading as a basis for improving the working environment for underground mineworkers. / MT2017

Mine ventilation

Coal mines and mining

Fluid dynamics--Mathematics

ANSYS (Computer system)

Retrowrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization

Sushant Dinesh (6640856)

10 June 2019

<div>End users of closed-source software currently cannot easily analyze the security</div><div>of programs or patch them if flaws are found. Notably, end users can include devel</div><div>opers who use third party libraries. The current state of the art for coverage-guided</div><div>binary fuzzing or binary sanitization is dynamic binary translation, which results</div><div>in prohibitive overhead. Existing static rewriting techniques cannot fully recover</div><div>symbolization information, and so have difficulty modifying binaries to track code</div><div>coverage for fuzzing or add security checks for sanitizers.</div><div>The ideal solution for adding instrumentation is a static rewriter that can intel</div><div>ligently add in the required instrumentation as if it were inserted at compile time.</div><div>This requires analysis to statically disambiguate between references and scalars, a</div><div>problem known to be undecidable in the general case. We show that recovering this</div><div>information is possible in practice for the most common class of software and li</div><div>braries: 64 bit, position independent code. Based on our observation, we design a</div><div>binary-rewriting instrumentation to support American Fuzzy Lop (AFL) and Address</div><div>Sanitizer (ASan), and show that we achieve compiler levels of performance, while re</div><div>taining precision. Binaries rewritten for coverage-guided fuzzing using RetroWrite</div><div>are identical in performance to compiler-instrumented binaries and outperforms the</div><div>default QEMU-based instrumentation by 7.5x while triggering more bugs. Our im</div><div>plementation of binary-only Address Sanitizer is 3x faster than Valgrind memcheck,</div><div>the state-of-the-art binary-only memory checker, and detects 80% more bugs in our</div><div>security evaluation.</div>

Computer System Security

Programming Languages

Program Analysis

Binary Analysis

fuzzing

Sanitization

Security techniques for drones

Jongho Won (5930405)

10 June 2019

<div>Unmanned Aerial Vehicles (UAVs), commonly known as drones, are aircrafts without a human pilot aboard. The flight of drones can be controlled with a remote control by an operator located at the ground station, or fully autonomously by onboard computers. Drones are mostly found in the military. However, over the recent years, they have attracted the interest of industry and civilian sectors. <br></div><div>With the recent advance of sensor and embedded device technologies, various sensors will be embedded in city infrastructure to monitor various city-related information. In this context, drones can be effectively utilized in many safety-critical applications for collecting data from sensors on the ground and transmitting configuration instructions or task requests to these sensors.</div><div> <br></div><div>However, drones, like many networked devices, are vulnerable to cyber and physical attacks.<br></div><div>Challenges for secure drone applications can be divided in four aspects: 1) securing communication between drones and sensors, 2) securing sensor localization when drones locate sensors, 3) providing secure drone platforms to protect sensitive data against physical capture attacks and detect modifications to drone software, and 4) protecting secret keys in drones under white-box attack environments.<br></div><div> <br></div><div>To address the first challenge, a suite of cryptographic protocols is proposed. The protocols are based on certificateless cryptography and support authenticated key agreement, non-repudiation and user revocation. To minimize the energy required by a drone, a dual channel strategy is introduced.<br></div><div>To address the second challenge, a drone positioning strategy and a technique that can filter out malicious location references are proposed.<br></div><div>The third challenge is addressed by a solution integrating techniques for software-based attestation and data encryption.<br></div><div>For attestation, free memory spaces are filled with pseudo-random numbers, which are also utilized to encrypt data collected by the drone like a stream cipher.<br></div>A dynamic white-box encryption scheme is proposed to address the fourth challenge. Short secret key are converted into large look-up tables and the tables are periodically shuffled by a shuffling mechanism which is secure against white-box attackers.

Computer System Security

Drones

white-box encryption

sensor localization

software attestation

Privacy-Enhancing Techniques for Data Analytics

Fang-Yu Rao (6565679)

10 June 2019

<div> <div> <div> <p>Organizations today collect and aggregate huge amounts of data from individuals under various scenarios and for different purposes. Such aggregation of individuals’ data when combined with techniques of data analytics allows organizations to make informed decisions and predictions. But in many situations, different portions of the data associated with individuals are collected and curated by different organizations. To derive more accurate conclusions and predictions, those organization may want to conduct the analysis based on their joint data, which cannot be simply accomplished by each organization exchanging its own data with other organizations due to the sensitive nature of data. Developing approaches for collaborative privacy-preserving data analytics, however, is a nontrivial task. At least two major challenges have to be addressed. The first challenge is that the security of the data possessed by each organization should always be properly protected during and after the collaborative analysis process, whereas the second challenge is the high computational complexity usually accompanied by cryptographic primitives used to build such privacy-preserving protocols. </p><p><br></p><p> </p><div> <div> <div> <p>In this dissertation, based on widely adopted primitives in cryptography, we address the aforementioned challenges by developing techniques for data analytics that not only allow multiple mutually distrustful parties to perform data analysis on their joint data in a privacy-preserving manner, but also reduce the time required to complete the analysis. More specifically, using three common data analytics tasks as concrete examples, we show how to construct the respective privacy-preserving protocols under two different scenarios: (1) the protocols are executed by a collaborative process only involving the participating parties; (2) the protocols are outsourced to some service providers in the cloud. Two types of optimization for improving the efficiency of those protocols are also investigated. The first type allows each participating party access to a statistically controlled leakage so as to reduce the amount of required computation, while the second type utilizes the parallelism that could be incorporated into the task and pushes some computation to the offline phase to reduce the time needed for each participating party without any additional leakage. Extensive experiments are also conducted on real-world datasets to demonstrate the effectiveness of our proposed techniques.<br></p> <p> </p> </div> </div> </div> </div> </div> </div>

Computer System Security

Data Encryption

Differential Privacy

Secure Multiparty Computation

Record Linkage

K-Means Clustering