Professional Documents
Culture Documents
Ebook Computer Security Esorics 2020 25Th European Symposium On Research in Computer Security Esorics 2020 Guildford Uk September 14 18 2020 Proceedings Part I Liqun Chen Online PDF All Chapter
Ebook Computer Security Esorics 2020 25Th European Symposium On Research in Computer Security Esorics 2020 Guildford Uk September 14 18 2020 Proceedings Part I Liqun Chen Online PDF All Chapter
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-i-andrea-vedaldi/
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-xxvii-andrea-vedaldi/
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-vi-andrea-vedaldi/
Computer Vision ECCV 2020 16th European Conference
Glasgow UK August 23 28 2020 Proceedings Part XIII
Andrea Vedaldi
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-xiii-andrea-vedaldi/
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-xxix-andrea-vedaldi/
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-iv-andrea-vedaldi/
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-viii-andrea-vedaldi/
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-xxx-andrea-vedaldi/
Liqun Chen
Ninghui Li
Kaitai Liang
Steve Schneider (Eds.)
LNCS 12308
Computer Security –
ESORICS 2020
25th European Symposium
on Research in Computer Security, ESORICS 2020
Guildford, UK, September 14–18, 2020, Proceedings, Part I
Lecture Notes in Computer Science 12308
Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany
Juris Hartmanis
Cornell University, Ithaca, NY, USA
Computer Security –
ESORICS 2020
25th European Symposium
on Research in Computer Security, ESORICS 2020
Guildford, UK, September 14–18, 2020
Proceedings, Part I
123
Editors
Liqun Chen Ninghui Li
University of Surrey Purdue University
Guildford, UK West Lafayette, IN, USA
Kaitai Liang Steve Schneider
Delft University of Technology University of Surrey
Delft, The Netherlands Guildford, UK
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
The two volume set, LNCS 12308 and 12309, contain the papers that were selected for
presentation and publication at the 25th European Symposium on Research in Com-
puter Security (ESORICS 2020) which was held together with affiliated workshops
during the week September 14–18, 2020. Due to the global COVID-19 pandemic, the
conference and workshops ran virtually, hosted by the University of Surrey, UK. The
aim of ESORICS is to further research in computer security and privacy by establishing
a European forum, bringing together researchers in these areas by promoting the
exchange of ideas with system developers and by encouraging links with researchers in
related fields.
In response to the call for papers, 366 papers were submitted to the conference.
These papers were evaluated on the basis of their significance, novelty, and technical
quality. Except for a very small number of papers, each paper was carefully evaluated
by three to five referees and then discussed among the Program Committee. The papers
were reviewed in a single-blind manner. Finally, 72 papers were selected for presen-
tation at the conference, yielding an acceptance rate of 19.7%. We were also delighted
to welcome invited talks from Aggelos Kiayias, Vadim Lyubashevsky, and Rebecca
Wright.
Following the reviews two papers were selected for Best Paper Awards and they
share the 1,000 EUR prize generously provided by Springer: “Pine: Enabling
privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection
establishment” by Jianting Ning, Xinyi Huang, Geong Sen Poh, Shengmin Xu, Jason
Loh, Jian Weng, and Robert H. Deng; and “Automatic generation of source lemmas in
Tamarin: towards automatic proofs of security protocols” by Véronique Cortier,
Stéphanie Delaune, and Jannik Dreier.
The Program Committee consisted of 127 members across 25 countries. There were
submissions from a total of 1,201 authors across 42 countries, with 24 countries
represented among the accepted papers.
ESORICS 2020 would not have been possible without the contributions of the many
volunteers who freely gave their time and expertise. We would like to thank the
members of the Program Committee and the external reviewers for their substantial
work in evaluating the papers. We would also like to thank the organization/department
chair, Helen Treharne, the workshop chair, Mark Manulis, and all of the workshop
co-chairs, the poster chair, Ioana Boureanu, and the ESORICS Steering Committee. We
are also grateful to Huawei and IBM Research – Haifa, Israel for their sponsorship that
enabled us to support this online event. Finally, we would like to express our thanks to
the authors who submitted papers to ESORICS 2020. They, more than anyone else, are
what made this conference possible.
vi Preface
We hope that you will find the proceedings stimulating and a source of inspiration
for future research.
General Chair
Steve Schneider University of Surrey, UK
Program Chairs
Liqun Chen University of Surrey, UK
Ninghui Li Purdue University, USA
Steering Committee
Program Committee
Yousra Aafer University of Waterloo, Canada
Mitsuaki Akiyama NTT, Japan
Cristina Alcaraz UMA, Spain
Frederik Armknecht Universität Mannheim, Germany
Vijay Atluri Rutgers University, USA
Erman Ayday Bilkent University, Turkey
Antonio Bianchi Purdue University, USA
Marina Blanton University at Buffalo, USA
Carlo Blundo Università degli Studi di Salerno, Italy
Alvaro Cardenas The University of Texas at Dallas, USA
Berkay Celik Purdue University, USA
Aldar C-F. Chan BIS Innovation Hub Centre, Hong Kong, China
Sze Yiu Chau Purdue University, USA
viii Organization
Workshop Chair
Mark Manulis University of Surrey, UK
Poster Chair
Ioana Boureanu University of Surrey, UK
Organization/Department Chair
Helen Treharne University of Surrey, UK
Organization xi
Additional Reviewers
Aggelos Kiayias
Vadim Lyubashevsky
Rebecca N. Wright
System Security I
Network Security I
Software Security
Follow the Blue Bird: A Study on Threat Data Published on Twitter. . . . . . . 217
Fernando Alves, Ambrose Andongabo, Ilir Gashi, Pedro M. Ferreira,
and Alysson Bessani
Network Security II
Privacy
GDPR – Challenges for Reconciling Legal Rules with Technical Reality . . . . 736
Mirosław Kutyłowski, Anna Lauks-Dutka, and Moti Yung
Formal Modelling
Applied Cryptography I
Analyzing Attacks
System Security II
Post-quantum Cryptography
Security Analysis
Applied Cryptography II
Blockchain I
Securing DNSSEC Keys via Threshold ECDSA from Generic MPC . . . . . . . 654
Anders Dalskov, Claudio Orlandi, Marcel Keller, Kris Shrishak,
and Haya Shulman
Blockchain II
1 Introduction
According to the recent Internet trends report [11], 87% of today’s web traf-
fic was encrypted, compared to 53% in 2016. Similarly, over 94% of web traffic
across Google uses HTTPS encryption [7]. The increasing use of end-to-end
encryption to secure web traffic has hampered the ability of existing middle-
boxes to detect malicious packets via deep packet inspection on the traffic. As
a result, security service providers and enterprises deploy tools that perform
Man-in-the-Middle (MitM) to decrypt, inspect and re-encrypt traffic before the
traffic is sent to the designated server. Such approach is termed as Transport
Layer Security Inspection (TLSI) by the National Security Agency (NSA), which
recently issued an advisory on TLSI [12] citing potential security issues includ-
ing insider threats. TLSI introduces additional risks whereby administrators may
abuse their authorities to obtain sensitive information from the decrypted traffic.
On the other hand, there exists growing privacy concern on the access to users’
data by middleboxes as well as the enterprise gateways. According to a recent
survey on TLSI in the US [16], more than 70% of the participants are concerned
that middleboxes (or TLS proxies) performing TLSI can be exploited by hackers
or used by governments, and close to 50% think it is an invasion to privacy. In
general, participants are acceptable to the use of middleboxes by their employers
or universities for security purposes but also want assurance that these would
not be used by governments for surveillance or by exploited hackers.
To alleviate the above concerns on maintaining security of TLS while ensur-
ing privacy of the encrypted traffic, Sherry et al. [20] introduced a solution called
BlindBox to perform inspection on encrypted traffic directly. However, BlindBox
needs a setup phase that is executed between the middlebox and the client. The
setup phase performs two-party computation where the input of the middlebox
are the rules, which means that the privacy of rules against the middlebox is
not assured. In addition, this setup phase is built based on garbled circuit, and
needs to be executed for every session. Due to the properties of garble circuit,
such setup phase incurs significant computation and communication overheads.
To overcome this limitation, Ning et al. [15] recently proposed PrivDPI with an
improved setup phase. A new obfuscated rule generation technique was intro-
duced, which enables the reuse of intermediate values generated during the first
TLS session across subsequent sessions. This greatly reduces the computation
and communication overheads over a series of sessions. However, there still exists
considerable delay during the establishment of a TLS connection since each client
is required to run a preprocessing protocol for each new connection. In addition,
Pine 5
as we will show in Sect. 4.1, when the domain of the inspection or attack rules
is small, the middlebox could perform brute force guessing for the rules in the
setting of PrivDPI. This means that, as in BlindBox, PrivDPI does not provide
privacy of rules against the middlebox. However, as noted in [20], most solution
providers, such as McAfee, rely on the privacy of their rules in their business
model. More so given the increasingly popular cloud-based middlebox services,
the privacy of the rules should be preserved against the middleboxes.
Given the security and privacy concerns on TLSI, and the current status of
the state-of-the-arts, we seek to introduce a new solution that addresses the fol-
lowing issues, in addition to maintaining the security and privacy provisions of
BlindBox and PrivDPI: (1) Fast TLS connection establishment without prepro-
cessing in order to eliminate the session setup delay incurred in both BlindBox
and PrivDPI; (2) Resisting brute force guessing of the rule sets even for small
rule domains; (3) Supporting lightweight rule addition.
Our Contributions. We propose Pine, a new protocol for privacy-preserving
deep packet inspection on encrypted traffic, for a practical enterprise network
setting, where clients connect to the Internet through an enterprise gateway. The
main contributions are summarized as follows.
– Identifying limitation of PrivDPI. We revisit PrivDPI and demonstrate
that in PrivDPI, when the rule domain is small, the middlebox could forge
new encrypted rules that gives the middlebox the ability to detect the
encrypted traffic with any encrypted rules it generates.
– New solution with stronger privacy guarantee. We propose Pine as the
new solution for the problem of privacy-preserving deep packet inspection,
where stronger privacy is guaranteed. First of all, the privacy of the traffic is
protected unless there exists an attack in the traffic. Furthermore, privacy of
rules is assured against the middlebox, we call this property rule hiding. This
property ensures privacy of rules even when the rule domain is small (e.g.
approximately 3000 rules as in existing Network Intrusion Detection (IDS)
rules), which addresses the limitation of PrivDPI. In addition, privacy of rules
is also assured against the enterprise gateway and the endpoints, we term this
property rule privacy.
– Amortized setup, fast connection establishment. Pine enables the
establishment of a TLS connection with low latency and without the need
for an interactive preprocessing protocol as in PrivDPI and BlindBox. The
latency-incurring preprocessing protocol is performed offline and is only exe-
cuted once. Consequently, there is no per-user-connection overhead. Any
client can setup a secure TLS connection with a remote server without prepro-
cessing delay. In contrast, in PrivDPI and BlindBox, the more rules there are,
the higher the per-connection setup cost is. The speed up of the connection
is crucial for low-latency applications.
– Lightweight rule addition. Pine is a dynamic protocol in that it allows new
rules being added on the fly without affecting the connection between a client
and a server. The rule addition is seamless to the clients in the sense that
the gateway can locally execute the rule addition phase with the middlebox
6 J. Ning et al.
2 Protocol Overview
Pine shares a similar architecture with BlindBox and PrivDPI, as illustrated
in Fig. 1. There are five entities in Pine: Client, Server, Gateway (GW), Rule
Generator (RG) and Middlebox (MB). Client and server are the endpoints
that send and receive network traffic protected by TLS. GW is a device located
between a set of clients and servers that allows network traffic to flow from one
endpoint to another endpoint. RG generates the attack rule tuples for MB.
The attack rule tuples will be used by MB to detect attacks in the network
traffic. Each attack rule describes an attack and contains one or more keywords
to be matched in the network communication. Hereafter, we will use the terms
“rule” and “attack rule” interchangeably. The role of RG can be performed by
organization such as McAfee [18]. MB is a network device that inspects and
filters network traffic using the attack rule tuples issued by RG.
System Requirements. The primary aim is to provide a privacy-preserving
mechanism that can detect any suspicious traffic while at the same time ensure
the privacy of endpoint’s traffic. In particular, the system requirements include:
– Traffic inspection: Pine retains similar functionality of traditional IDS, i.e.,
to find a suspicious keyword in the packet.
– Rule privacy: The endpoints and GW should not learn the attack rules (i.e.,
the keywords). This is required especially for security solution providers that
generate comprehensive and proprietary rule sets as their unique proposition
that help to detect malicious traffic more effectively.
Pine 7
Protocol Flow. We present how each phase functions at a high level as follows.
– Initialization. RG initializes the system by setting the public parameters.
– Setup. GW subscribes the inspection service from RG, in which RG receives
a shared secret from GW. RG issues the attack rule tuples to MB. The client
and the server will derive some parameters from the key of the primary TLS
handshake protocol and install a Pine HTTPS configuration, respectively.
– Preprocessing. In this phase, GW interacts with MB to generate a set of
reusable randomized rules. In addition, GW generates and sends the initial-
ization parameters to the clients within its domain.
– Preparation of Session Detection Rule. In this phase, the reusable randomized
rules will be used to generate session detection rules.
– Token Encryption. In this phase, a client generates the encrypted token for
each token in the payload. The encrypted tokens will be sent along with the
traffic encrypted from the payload using regular TLS.
– Gateway Checking. For the first session, GW checks whether the attached
parameters sent by the client is well-formed. This phase will be run when a
client connects to a server for the first time.
8 J. Ning et al.
3 Preliminaries
Complexity Assumption. The decision Diffie-Hellman (DDH) problem is
stated as follows: given g, g x , g y , g z , decide whether z = xy (modulo the order
of g), where x, y, z ∈ Zp . We say that a PPT algorithm B has advantage in
x y xy x y z
solving the DDH problem if | Pr[B (g,g ,g ,g ) = 1] − Pr[B (g,g ,g ,g ) = 1]| ≥ ,
where the probability above is taken over the coins of B, g, x, y, z.
Definition 1. The DDH assumption holds if no PPT adversary has advantage
at least in solving the DDH problem.
Pseudorandom function. A pseudorandom function family PRF is a family
of functions {PRFa : U → V |a ∈ A} such that A could be efficiently samplable
and all PRF, U , V , A are indexed by a security parameter λ. The security
property of a PRF is: for any PPT algorithm B running in λ, it holds that
| Pr[B PRFa (·) = 1] − Pr[B R(·) = 1]| = negl(λ), where negl is a negligible function
of λ, a and R are uniform over A and (U → V ) respectively. The probability
above is taken over the coins of B, a and R. For notational simplicity, we consider
one version of the general pseudorandom function notion that is custom-made to
fit our implementation. Specifically, the pseudorandom function PRF considered
in this paper maps λ-bit strings to elements of Zp . Namely, PRFa : {0, 1}λ → Zp ,
where a ∈ G.
Payload Tokenization. As in BlindBox and PrivDPI, we deploy window-based
tokenization to tokenize keywords of a client’s payload. Window-based tokeniza-
tion follows a simple sliding window algorithm. We adopt 8 bytes per token when
we implement the protocol. That is, given a payload “secret key”, an endpoint
will generate the tokens “secret k”, “ecret ke” and “cret key”.
4 Protocol
In this section, we first point out the limitation of PrivDPI. To address this prob-
lem and further reduce the connection delay, we then present our new protocol.
PrivDPI. In the setup phase, a middlebox receives (si , Ri , sig(Ri )) for rule ri ,
where Ri = g αri +si and sig(Ri ) is the signature of Ri . With si and Ri , MB
obtains the value g αri . Recall that in PrivDPI, the value A = g α is included in
the PrivDPI HTTPS configuration, MB could obtain this value via installing a
PrivDPI HTTPS configuration. Since the domain of rule is small, with A and
g αri , MB can launch brute force attack to obtain the value of ri via trying every
?
candidate value v by checking Av = g αri within the rule domain. In this way,
MB could obtain the value ri for Ri and rj for Rj . After the completion of
2
preprocessing protocol, MB obtains the reusable obfuscated rule Ii = g kαri +k
kαri +k2 kαrj +k2
for rule ri . Now, MB knows values ri , rj , Ii = g , Ij = g . It
(ri −rj )−1 kα kα
can then computes (Ii /Ij ) to obtain a value g . With g , ri and
2 2 2
Ii = g kαri +k , it can compute Ii /(g kα )ri = g k . With g k and g kα , MB could
forge the reusable obfuscated rule successfully for any rule it chooses. With the
forged (but valid) reusable obfuscated rule, MB could detect more than it is
allowed, which violates the privacy requirement of the encrypted traffic.
In the above, we describe the token encryption when the endpoint is a client.
When the endpoint is a server, the server will first run the same tokenization
step, and encrypts the tokens as the step 1 and step 2 described in Fig. 4.
Gateway Checking. This phase will be executed when a client connects to
a server for the first time. For the traffic sent from the client to a server for
the first time, the client attaches (salt, Cks , Cw , Cx , Cy ). This enables the server
to perform the validation of the encrypted traffic during the traffic validation
phase. Cks and ks serve as the randomness to mask the values g w , g x and g xy . The
correctness of Cks will be checked once the traffic reached the server. To ensure
that g w , g x and g xy are masked by Cks correctly, GW simply checks whether
the following equations hold: Cw = (Cks )w , Cx = (Cks )x and Cy = (Cks )xy .
Traffic Detection. During the traffic detection phase, MB performs the equal-
ity check between the encrypted tokens in the traffic and the encrypted rules it
kept. The traffic detection algorithm is described as follows. MB first initial-
izes a counter table CTr to record the encrypted rule Eri for each rule ri . The
encrypted rule Eri for rule ri is computed as Eri = EncSi (salt + countri ), where
countri is initialized to be 0. MB then generates a search tree that contains the
encrypted rules. If a match is found, MB takes the corresponding action, deletes
the old Eri corresponding to ri , increases countri by 1, computes and inserts a
new Eri into the tree, where the new Eri is computes as EncSi (salt + countri ).
Traffic Validation. If it is the first session between a client and a server, upon
receiving (salt, Cks , Cw , Cx , Cy ), the server checks whether the equation Cks =
g ks holds, where ks is derived (by the server) from the key ksk of the regular TLS
−1
handshake protocol. If the equation holds, the server computes (Cw )(ks ) = g w ,
−1 −1
(Cx )(ks ) = g x , (Cy )(ks ) = g xy . With the computed (g w , g x , g xy ), the server
runs the same token encryption algorithm on the plaintext decrypted from the
Input: MB has inputs {(Ri , σi , ki )}i∈[n] , where Ri = g rw,i +ki ; GW has input pk.
The protocol is run between GW and MB:
1. GW chooses a random x ∈ Z∗p , computes X = g x , and sends X to MB.
2. MB sends {(Ri , σi )}i∈[n] to GW.
3. Upon receiving {(Ri , σi )}i∈[n] , GW does:
(1) Check if σi is a valid signature on Ri using pk for i ∈ [n]; if not, halt and
output ⊥.
(2) Choose a random y ∈ Z∗p and compute Y = g y . Compute Xi = (Ri · Y )x =
g xrw,i +xki +xy for i ∈ [n], and return {Xi }i∈[n] to MB.
4. MB computes Ki = Xi /(X)ki = g xrw,i +xy for i ∈ [n] as the reusable randomized
rule for rule ri .
5. GW sets I0 = xy, I1 = x, I2 = g w as the initialization parameters, and sends
(I0 , I1 , I2 ) to the clients within its domain.
Input: The client (resp. the server) has input c. MB has input {Ki }i∈[n] .
The protocol is run among a client, a server and MB:
1. The client computes C = g c and sends C to MB (through GW). Meanwhile,
the server sets Cs = c and sends Cs to MB.
2. MB checks whether C equals g Cs . If yes, for i ∈ [n], it calculates Si = (Ki ·C)Cs =
g c(xrw,i +xy+c) as the session detection rule for rule ri .
encrypted TLS traffic as the client does. The server then checks whether the
resulting encrypted tokens equal the encrypted tokens received from MB. If
not, it indicates that the client is malicious. On the other hand, if it is the traffic
sent from the server to the client, the client will do the same token encryption
algorithm as the server does, and compares the resulting encrypted tokens with
the received encrypted tokens from MB as well.
Rule Addition. In practice, new rules may be required to be added into the
system. For a new rule ri ∈ R for i ∈ [n ], RG randomly chooses ki ∈ Zp ,
calculates rw,i = PRFW (ri ) and Ri = g rw,i +ki . It then signs the generated Ri
with sk to generate the signature σi of Ri . Finally, it sends the newly added
attack rule tuples {Ri , σi , ki }i∈[n ] to MB. For the newly added attack rule
tuples, the rule addition protocol is described in Fig. 5, which is a simplified
protocol of the preprocessing protocol.
Input: The client has inputs (I0 , I1 , I2 ), a token t, the random keys ks and c, the value
R, a salt salt and a counter table T, where I0 = xy, I1 = x and I2 = g w .
The algorithm is run by the client as follows:
1. Compute I = I0 + c = xy + c.
2. For each token t:
• If there exists no tuple corresponding to t in T: compute tw = PRFI2 (t), Tt =
g c(I1 tw +I) = g c(xtw +xy+c) , set countt = 0, compute the encryption of t as
Et = EncTt (salt). Finally, insert tuple (t, Tt , countt ) into T.
• If there exists a tuple (t , Tt , countt ) in T where t = t: update countt =
countt + 1, and compute the encryption of t as Et = EncTt (salt + countt ).
3. If it is the first session, compute Cks = g ks , Cw = (I2 )ks = g wks , Cx = g I1 ks =
g xks and Cy = g I0 ks = g xyks . The parameters (salt, Cks , Cw , Cx , Cy ) will be sent
along with the encrypted token Et for token t.
Input: MB has newly added attack rule tuple set {(Ri , σi , ki )}i∈[n ] , where Ri =
g rw,i +ki ; GW has inputs Y , x.
The protocol is run between GW and MB:
1. MB sends {(Ri , σi )}i∈[n ] to GW.
2. Upon receiving {(Ri , σi )}i∈[n ] , GW does: (1) Check if σi is a valid signature on
Ri using pk for i ∈ [n ]; if not, halt and output ⊥. (2) Compute Xi = (Ri · Y )x =
g xrw,i +xki +xy for i ∈ [n ], and send {Xi }i∈[n ] to MB.
3. MB computes the reusable randomized rule Ki = Xi /(X)ki for i ∈ [n ].
5 Security
Let I0,i be the index set that match ri in S0 and I1,i be the index set that match
ri in S1 . If I0,i = I1,i and b = b for all i, we say that the adversary wins the above
game. The advantage of the adversary in the game is defined as Pr[b = b] − 1/2.
Construction. The construction below captures the main structure from the
security point of view.
– Setup(λ): Let PRF be a pseudorandom function. Generate x, y, c, w ∈ Zp , set
(x, y, c, g w ) as the key.
– TokenEnc(t1 , ..., tn , sk): Let salt be a random salt. For i ∈ [n], do: (a) Let
count be the number of times that token ti repeats in the sequence t1 ,...,ti−1 ;
(b) Calculate tw,i = PRFgw (ti ), Tti = g c(xtw,i +xy+c) , ci = H(Tti , salt + count).
Finally, the algorithm outputs (c1 , ..., cn ) and salt.
– RuleEnc(r, sk): Compute rw = PRFgw (r), S = g c(xrw +xy+c) , output H(S).
Theorem 1. Suppose H is a random oracle, the construction in Sect. 5.1 is a
secure middlebox searchable encryption scheme.
The proof of this theorem is provided in Appendix B.1.
Inputs: GW has inputs x, y ∈ Zp ; MB has inputs ({Ri , ki }i∈[n] ), where Ri = g rw,i +ki .
The protocol is run between GW and MB:
1. GW computes X = g x , and sends X to MB.
2. MB sends {Ri }i∈[n] to GW.
3. GW computes Xi = (Ri · g y )x for i ∈ [n], and send {Xi }i∈[n] to MB.
4. MB computes Ki = Xi /(X)ki as the reusable randomized rule for rule ri .
Security. The security definition for a rule hiding scheme is defined between a
challenger C and an adversary A as follows.
Construction.
– Setup(λ): Let PRF be a pseudorandom function. Choose random k, w ∈ Zp ,
set g w as sk, k as pk.
– RuleHide(pk, sk, r): Calculate rw = PRFsk (r), R = g rw +k , and output R.
6 Performance Evaluations
We investigate the performance of the network connection between a client and
a server. Since PrivDPI perfoms better than BlindBox, we only present the
comparison with PrivDPI. Let an one-round connection be a connection from
the client to the server. The running time of a one-round connection reflects
how fast a client can be connected to a server, and the communication cost
captures the amount of overhead data need to be transferred for establishing
this connection. Ideally, the running time for one-round connection should be
as small as possible. The less running time it incurs, the faster a client can
connect to a server. Similarly, it is desirable to minimize network communication
overhead. We test the running time and the communication cost of one-round
connection for our protocol and PrivDPI respectively. Our experiments are run
on a Intel(R) Core i7-8700 CPU running at 3.20 Ghz with 8 GB RAM under
64bit Linux operating system. The CPU supports AES-NI instructions, where
Pine 17
Time (ms)
700
2000 600
600
1500 500
500
1000 400
400 500 300
300 0 200
0 1000 2000 3000 4000 5000 6000 0 1000 2000 3000 4000 5000 6000 0 2000 4000 6000 8000 10000
Number of rules Number of rules Number of tokens
0 300 200
0 2000 4000 6000 8000 10000 0 500 1000 1500 2000 2500 3000 0 500 1000 1500 2000 2500 3000
Number of tokens Number of added rules Number of added rules
the encryption of token and the encryption of rule reflect this hardware support.
The experiments are built on Charm-crypto [1], and is based on NIST Curve
P-256. As stated in Sect. 3, both the rules and the tokens consist of 8 bytes. For
simplicity, the payload that we test does not contain repeated tokens. We test
each case for 20 times and takes the average.
How does the number of rules influence the one-round connection?
Figure 7a illustrates the running time for one-round connection with 5,000 tokens
when the number of rules range from 600 to 6,000. It is demonstrated that Pine
takes less time than PrivDPI for each case, the more rules, the less time Pine
takes compared to PrivDPI. This means that it takes less time for a client in Pine
to connect to a server. In particular, for 5,000 tokens and 6,000 rules, it takes
approximately 665 ms for Pine, while PrivDPI takes approximately 912 ms. That
is, the delay for one-round connection of Pine is 27% less than PrivDPI; for 5,000
tokens and 3,000 rules, it takes approximately 488 ms for Pine, while PrivDPI
takes approximately 616 ms. In other words, a client in Pine connects to a server
with 20.7% faster speed than PrivDPI. Figure 7b shows the communication cost
for one-round connection with 5,000 tokens when the number of rules range from
600 to 6,000. The communication cost of PrivDPI grows linearly with the number
of rules, while for Pine it is constant. The more rules, the more communication
cost PrivDPI incurs. This is because the client in PrivDPI needs to run the
preprocessing protocol with MB, and the communication cost incurred by this
preprocessing protocol is linear with the number of rules.
How does the number of tokens influence the one-round connec-
tion? We fix the number of rules to be 3,000, and test the running time and
communication cost when the number of tokens range from 1,000 to 10,000.
18 J. Ning et al.
Figure 7c shows that the running time of Pine is linear with the number of tokens
in the payload, the same as PrivDPI. However, for each case, the time consumed
of Pine is less than PrivDPI, this is due to the following two reasons. The first
is that a client in Pine does not need to perform the preprocessing protocol for
the 3,000 rules. The second is that, the encryption of a token in PrivDPI mainly
takes one multiplication in G, one exponentiation in G, and one AES encryption.
While in Pine, the encryption of a token mainly takes one hash operation, one
exponentiation in G, and one AES encryption. That is, the token encryption of
Pine is faster than that of PrivDPI. Figure 7d shows the communication cost of
one-round connection with 3,000 rules when the number of tokens range from
1,000 to 10,000. Similar to the running time, the communication costs of Pine
and PrivDPI are both linear with the number of tokens, but Pine incurs less
communication than PrivDPI. This is due to the additional communication cost
of the preprocessing protocol in PrivDPI for 3,000 rules.
How does the number of newly added rules influence the one-round
connection? We test the running time and communication cost with 3,000 rules
and 5,000 tokens when the number of newly added rules range from 300, to
3,000. Figure 7e shows that Pine takes less time than PrivDPI. For 3,000 newly
added rules, Pine takes 424.96 ms, while PrivDPI takes 913.52 ms. That is, Pine
is 53.48% faster than PrivDPI. Figure 7f shows that the communication cost
of Pine is less than PrivDPI. In particular, the communication cost of Pine is
independent of the number of newly added rules, while PrivDPI is linear with
the number of newly added rules. This is because the client in Pine does not
need to perform preprocessing protocol online.
7 Related Work
Our protocol is constructed based on BlindBox proposed by Sherry et al. [20] and
PrivDPI proposed by Ning et al. [15], as was stated in the introduction. Blind-
Box introduces privacy-preserving deep packet inspection on encrypted traffic
directly, while PrivDPI utilises an obfuscated rule generation mechanism with
improved performance compared to BlindBox. Using the construction in Blind-
Box as the underlying component, Lan et al. [9] further proposed Embark that
leverages on a trusted enterprise gateway to perform privacy-preserving detec-
tion in a cloud-based middlebox setting. In Embark, the enterprise gateway needs
to be fully trusted and learns the content of the traffic and the detection rules,
although in this case the client does not need to perform any operation as in our
protocol. Our work focuses on the original setting of BlindBox and PrivDPI with
further performance improvements, new properties and stronger privacy guar-
antee, while considering the practical enterprise gateway setting, in which the
gateway needs not be fully trusted. Canard et al. [4] also proposed a protocol,
BlindIDS, based on the concept of BlindBox, that has a better performance. The
protocol consists of a token-matching mechanism that is based on pairing-based
public key operation. Though practical, it is not compatible to TLS protocol.
Pine 19
8 Conclusion
In this paper, we proposed Pine, a protocol that allows inspection of encrypted
traffic in a privacy-preserving manner. Pine builds upon the settings of BlindBox
and techniques of PrivDPI in a practical setting, yet enables hiding of rule sets
from the middleboxes with significantly improved performance compared to the
two prior works. Furthermore, the protocol allows lightweight rules addition on
the fly, which to the best of our knowledge has not been considered previously.
Pine utilises the common practical enterprise setting where clients establish con-
nections to Internet servers via an enterprise gateway, in such a way that the
gateway assists in establishing the encrypted rule sets without learning the con-
tent of the client’s traffic. At the same time, a middlebox inspects the encrypted
traffic without learning both the underlying rules and content of the traffic. We
demonstrated the improved performance of Pine over PrivDPI through extensive
experiments. We believe Pine is a promising approach to detect malicious traffic
amid growing privacy concerns for both corporate and individual users.
Among these pieces there are seven ghost stories, four accounts of
transformation of men or animals, eleven other household tales, one
legend, and one fable. This last piece (No. 11, pp. 27, 29) is probably
of Hottentot origin. I have therefore thought it best to give it a place
in this little book (No. 14), where it precedes that Hottentot Fable, to
which its concluding [28]portions bear such a striking resemblance. It
is not unlikely that the beginning of this Hottentot Fable of The
Giraffe and the Tortoise is missing. It may have been similar to the
beginning of the corresponding one in Damara. As far as it goes the
Hottentot Fable is however evidently more original than the o Tyi-
hereró text. As a specimen of o Tyi-hereró household tales, I have
given Rath’s fifteenth piece, the story of The Unreasonable Child to
whom the Dog gave its Deserts.
You will also approve of my having added the Zulu legend of the
Origin of Death, which in its mixture of Fable and Myth, and even in
several details of its composition, shows a great analogy to the
Hottentot treatment of the same subject, of which I am able to give
here four different versions.
In writing the last lines of this Preface, the interest which I feel for
these Hottentot Fables is almost fading away before those rich
treasures of your library which have just arrived from England; and
as all our present efforts are of course given to the proper settling of
these jewels of our library, I can merely send, with grateful
acknowledgments, our most fervent wishes for your well-doing, and
our sincere hope of seeing you, at no distant day, again in the midst
of us.
Believe me,
My dear Sir George,
Yours most faithfully,
W. H. I. BLEEK.
1 Cisgariepian, from the Nama point of view, i.e., to the North of the Orange
River. ↑
2 I give here some extracts from Mr. Wallmann’s letter, dated Barmen, 13th April,
1850, which was the only help of a grammatical or lexical nature then available
for me in my study of this Nama translation of Luke’s Gospel:—
“I transmit hereby Luke’s Gospel in Namaqua, … which I can lend you, however,
only for four weeks, as I have already previously promised it to some one else.
“Should your labours permit it, I wish to request you to make a little trial whether
the Namaqua is somewhat related to the South African family of Languages. For
the present a mere negative decision on this point is all that is wanted, and I
should like to have very soon the opinion of some good philologist regarding it.
Moffat [16]states that when he gave specimens of Namaqua to a Syrian who came
from Egypt, he was told that he (the Syrian) had seen slaves in the market of Cairo
who were of lighter colour than other Africans, and whose language resembled
that of the Namaqua. Moffat also says that some ancient authors have mentioned
a nation in the interior of Africa who were very similar to the Hottentots. Moffat
seems himself, however, to ascribe little value to these accounts, for his guesses
fall at once upon the Chinese. According to communications from our Missionary
Knudsen, the Namaqua language seems well formed. He mentions as personal
pronouns:—
Tita saaz χyb sada sako χyku
I thou (sāts) he (ǁẽip) we you they (ǁĕiku)
but to show the modifications which the pronouns undergo according to the
gender, and whether the person (spoken to) is included or excluded (in the first
person plural), the following examples of inclusive or exclusive forms are given:—
“We are captains.”
(incl.) Sake ke kauauke mascul.
(excl.) Sike ke kauauke
“The second person of the plural is said to have not more than half as many
distinctions; and the third person plural has only the following:—
χyku ke kauauga—mascul.
χyte ke kautate—fem.
χyn ke tana-khoina—com.
χykha ke kauaukha—dual. mascul.
χyra ke kautara—dual. fem.
χyra ke tana-khoira—dual. com.
“You will therefore oblige me by looking into the Namaqua Luke, and by having the
kindness to write me your opinion regarding it.” ↑
3 Report of the Correspondence and Paper read at the General Meeting of the
Syro-Egyptian Society, Session of 1851 and 1852. Read at the Anniversary
Meeting, held April 20th, 1852, 8vo. pp. 6, 8. ↑
4 “Ethnology of the Indo-Pacific Islands.” By J. R. Logan, Esq., Hon. Fellow of the
Ethnological Society. Language, Part ii. “The Races and Languages of S.E.
Asia, considered in relation to those of the Indo-Pacific Islands,” Chapter v.,
sections i. to vi. [From the Journal of the Indian Archipelago and Eastern Asia,
June and December, 1853, to December, 1854.] Singapore: Printed by Jakob
Baptist, 8vo., pp. 229, 294, sec. 6. The Semitico-African [20]Languages, viz.:—1.
General Characters, p. 229; 2. Egyptian, p. 248; 3. Hottentot, p. 248; 4. Shemo-
Hamitic, or Assyro-Berber, p. 259. ↑
5 Mr. Rath’s Manuscript consists of sixty-one pages, with double columns,
foolscap folio. It contains the following pieces:—
The Spectre
1. Sweethearts, pp. 1, 2.
The Lion
2. Husbands, pp. 2, 5.
Tenacity
3. of a Loving Mother’s Care, pp. 5, 6.
The Girl
4. who ran after her Father’s Bird, pp. 6, 12.
The Handsome
5. Girl, pp. 12, 15.
The Little
6. Bushman Woman, pp. 17, 18.
Punishment
7. of Imposition, pp. 19, 21.
The Spectre
8. who Fell in Love with his Son’s Wife, pp. 22, 23.
The Lunatic,
9. p. 23. [27]
The10.
Girls who Escaped from the Hill Damaras, pp. 24, 26.
The11.
Elephant and the Tortoise, pp. 27, 29.
The12.
Two Wives, pp. 29, 33.
The13.
Lion who took different Shapes, pp. 34, 35.
The14.
Little Girl left in the Well by her wicked Companions, pp. 35, 38.
The15.
Unreasonable Child to whom the Dog gave its Deserts, pp. 39, 43
Rutanga,
16. p. 44.
The17.
Ghost of the Man who was Killed by a Rhinoceros in
consequence of his Father’s Curse, pp. 45, 47.
The18.
Trials of Hambeka, a Spirit risen from the Dead, pp. 47, 50.
The19.
Little Girl who was teased by an Insect, p. 51.
The20.
same as 16 (Rutanga) p. 52.
Conjugal
21. Love after Death, p. 53.
The22.
Bad Katjungu and the Good Kahavundye, pp. 54, 57.
The23.
Wife who went after her Husband, pp. 57, 59.
The24.
Little Girl Murdered by the Hill Damara, pp. 59, 61.
6 The title of Mr. Knudsen’s first Manuscript is, “Südafrica: Das Hottentot-Volk;
Notizzen (Manuscript) H. C. Knudsen.” 4to., p. 12. Its contents are, Bushman
Land, [29]p. 3; the different kinds of Rain, p. 3; Bethany (in Great Namaqualand),
p. 3; the Damara, p. 4; the Grassy Plain, p. 4; the Diseases, pp. 4, 5; Birdsnests, p.
5; Marriage and Wedding among the Namaqua, p. 5; Extent of Authority among
the Namaqua, p. 5; Similarity with the Jewish manner of Thinking, Counting,
Eating, Drinking, Praying, Mode of Speech, and manner of Reckoning
Relationship, p. 6; Heitsi Eibip or Kabip, p. 7; Origin of the Modes of Life of the
Namaqua and Bushmen, pp. 7, 8; Coming of Age among the Hottentots, p. 8;
Names of Hottentot Tribes and their probable Etymology, pp. 8, 9; Are the
Hottentots of Egyptian or Phœnician Origin? p. 9; Are the Hottentots of Jewish or
Moabitic Origin? pp. 9, 10; Appendix, pp. 11, 12.
Mr. Knudsen’s second Manuscript has the following title, “Stoff zu einer Grammatik
in der Namaquasprache (Manuscript), H. C. Knudsen.” 4to. pp. 29. After a few
general introductory remarks, and a short explanation of the Hottentot Alphabet,
Mr. Knudsen treats of the different Parts of Speech:—I. Nouns, pp. 3, 4; II.
Adjectives, pp. 4, 5; III. Pronouns, pp. 5, 10; IV. Numerals, p. 11; V. Verbs, pp. 12,
24; Interrogative Sentences, pp. 25, 26; Concluding Remarks, pp. 26, 29. ↑
[Contents]
I.
JACKAL FABLES.
[Contents]
Then answered the animal to whom the question was first put—
All answered the same; but when he asked the little Fox, the little
Fox said—
“My boy, thou son of the lean Mrs. Fox, thou wilt never be caught.”
Truly the Lion was thus beaten in running by the little Fox. [35]
[Contents]
The Lion and the Jackal, it is said, were one day lying in wait for
elands. The Lion shot (with the bow) and missed, but the Jackal hit
and sang out, “Hah! Hah!” The Lion said, “No, you did not shoot
anything. It was I who hit.” The Jackal answered, “Yea, my father,
thou hast hit.” Then they went home in order to return when the
eland was dead, and cut it up. The Jackal, however, turned back,
unknown to the Lion, hit his nose so that the blood ran on the spoor
of the elands, and followed their track thus, in order to cheat the
Lion. When he had gone some distance, he returned by another way
to the dead eland, and creeping into its carcase, cut out all the fat.
When the Jackal arrived, he did not give the fat to the Lion’s wife, but
to his own wife and children; he gave, however, the lungs to the
Lion’s wife, and he pelted the Lion’s little children with the lungs,
saying:
[Contents]
The Lion and the Jackal went together a-hunting. They shot with
arrows. The Lion shot first, but his arrow fell short of its aim; but the
Jackal hit the game, and joyfully cried out, “It has hit.” The Lion
looked at him with his two large eyes; the Jackal, however, did not
lose his countenance, but said, “No, Uncle, I mean to say that you
have hit.” Then they followed the game, and the Jackal passed the
arrow of the Lion without drawing the latter’s attention to it. When
they arrived at a cross-way, the Jackal said, “Dear Uncle, you are old
and tired; stay here.” The Jackal went then on a wrong track, beat
his nose, and, in returning, let the blood drop from it like traces of
game. “I could not find anything,” he said, “but I met with traces of
blood. You had better go yourself to look for it. In the meantime I
shall go this other way.” The Jackal soon found the killed animal,
crept inside of it, and devoured the best portion; [38]but his tail
remained outside, and when the Lion arrived, he got hold of it, pulled
the Jackal out, and threw him on the ground with these words: “You
rascal!” The Jackal rose quickly again, complained of the rough
handling, and asked, “What have I then now done, dear Uncle? I
was busy cutting out the best part.” “Now let us go and fetch our
wives,” said the Lion; but the Jackal entreated his dear Uncle to
remain at the place because he was old. The Jackal went then away,
taking with him two portions of the flesh, one for his own wife, but the
best part for the wife of the Lion. When the Jackal arrived with the
flesh, the children of the Lion saw him, began to jump, and clapping
their hands, cried out, “There comes Uncle with flesh!” The Jackal
threw, grumbling, the worst portion to them, and said, “There, you
brood of the big-eyed one!” Then he went to his own house and told
his wife immediately to break up the house, and to go where the
killed game was. The Lioness wished to do the same, but he forbade
her, and said that the Lion would himself come to fetch her.
When the Jackal, with his wife and children, had arrived in the
neighbourhood of the killed animal, he ran into a thorn bush,
scratched his face so that it bled, and thus made his appearance
before the Lion, [39]to whom he said, “Ah! what a wife you have got.
Look here, how she scratched my face when I told her that she
should come with us. You must fetch her yourself; I cannot bring
her.” The Lion went home very angry. Then the Jackal said, “Quick,
let us build a tower.” They heaped stone upon stone, stone upon
stone, stone upon stone; and when it was high enough, everything
was carried to the top of it. When the Jackal saw the Lion
approaching with his wife and children, he cried out to him, “Uncle,
whilst you were away we have built a tower, in order to be better able
to see game.” “All right,” said the Lion; “but let me come up to you.”
“Certainly, dear Uncle; but how will you manage to come up? We
must let down a thong for you.” The Lion ties himself to the thong,
and is drawn up; but when he is nearly at the top the thong is cut by
the Jackal, who exclaims, as if frightened, “Oh, how heavy you are,
Uncle! Go, wife, fetch me a new thong.” (“An old one,” he said aside
to her.) The Lion is again drawn up, but comes of course down in the
same manner. “No,” said the Jackal, “that will never do; you must,
however, manage to come up high enough, so that you may get a
mouthful at least.” Then aloud he orders his wife to prepare a good
piece, but aside he tells her to make a [40]stone hot, and to cover it
with fat. Then he drew up the Lion once more, and, complaining that
he is very heavy to hold, he tells him to open his mouth, whereupon
he throws the hot stone down his throat. When the Lion has
devoured it, he entreats and requests him to run as quickly as
possible to the water. [41]
[Contents]
The Jackal, it is said, married the Hyena, and carried off a cow
belonging to ants, to slaughter her for the wedding; and when he had
slaughtered her, he put the cow-skin over his bride; and when he
had fixed a pole (on which to hang the flesh), he placed on the top of
the pole (which was forked) the hearth for cooking, in order to cook
upon it all sorts of delicious food. There came also the Lion to the
spot, and wished to go up. The Jackal, therefore, asked his little
daughter for a thong with which he could pull the Lion up, and he
began to pull him up; and when his face came near to the cooking-
pot, he cut the thong in two, so that the Lion tumbled down. Then the
Jackal upbraided his little daughter with these words: “Why do you
give me such an old thong?” And he added, “Give me a fresh thong.”
She gave him a new thong, and he pulled the Lion up again, and
when his face came near the pot, which stood on [42]the fire, he said,
“Open your mouth.” Then he put into his mouth a hot piece of quartz
which had been boiled together with the fat, and the stone went
down, burning his throat. Thus died the Lion.
There came also the ants running after the cow, and when the Jackal
saw them he fled. Then they beat the bride in her brookaross dress.
The Hyena, believing that it was the Jackal, said—
“You tawny rogue! have you not played at beating long enough?
Have you no more loving game than this?”
But when she had bitten a hole through the cow-skin, she saw that
they were other people; then she fled, falling here and there, yet she
made her escape. [43]
[Contents]
A White Man, it is said, met a Snake upon whom a large stone had
fallen and covered her, so that she could not rise. The White Man
lifted the stone off the Snake, but when he had done so, she wanted
to bite him. The White Man said, “Stop! let us both go first to some
wise people.” They went to the Hyena, and the White Man asked
him, “Is it right that the Snake should want to bite me, though I
helped her, when she lay under a stone and could not rise?”
The Hyena (who thought he would get his share of the White Man’s
body) said: “If you were bitten what would it matter?”
Then the Snake wanted to bite him, but the White Man said again:
“Wait a little, and let us go to other wise people, that I may hear
whether this is right.”
They went and met the Jackal. The White Man said to the Jackal: “Is
it right that the Snake wants [44]to bite me, though I lifted up the
stone which lay upon her?”
The Jackal replied: “I do not believe that the Snake could be covered
by a stone and could not rise. Unless I saw it with my two eyes, I
would not believe it. Therefore, come let us go and see at the place
where you say it happened whether it can be true.”
They went, and arrived at the place where it had happened. The
Jackal said: “Snake, lie down, and let thyself be covered.”
The Snake did so, and the White Man covered her with the stone;
but although she exerted herself very much, she could not rise. Then
the White Man wanted again to release the Snake, but the Jackal
interfered, and said: “Do not lift the stone. She wanted to bite you;
therefore she may rise by herself.”
Then they both went away and left the Snake under the stone. [45]
[Contents]
The Man answered, “That is not right. Let us first go to the Hare.”
When the Hare had heard the affair, he said, “It is right.” “No,” said
the Man, “let us ask the Hyena.”
“Now let us at last ask the Jackal,” said the Man in his despair.
When she was fast, the Jackal said, “Now let her lie there.” [46]
[Contents]
7. CLOUD-EATING.
(The original, in the Hottentot language, is in Sir G. Grey’s Library, G. Krönlein’s
Manuscript, pp. 30, 31.)
THE HYENA.
The Jackal and the Hyena were together, it is said, when a white
cloud rose. The Jackal ascended upon it, and ate of the cloud as if it
were fat.
When she was satisfied, she said, “My greyish brother, now catch
me well.” The greyish rogue said to his friend, “My sister, I shall
catch thee well. Come therefore down.”
He held up his hands, and she came down from the cloud, and when
she was near, the Jackal cried out (painfully jumping to one side),
“My sister, do not take it ill. Oh me! oh me! A thorn has pricked me,
and sticks in me.” Thus she fell down from above, and was sadly
hurt.
Since that day, it is said, that the Hyena’s left hind foot is shorter and
smaller than the right one. [48]
[Contents]
8. FISH-STEALING.
(From Sir James E. Alexander’s “Expedition of Discovery into the Interior of
Africa,” vol. ii. pp. 246, 247.)
THE HYENA.
“Throw it into the waggon,” said the driver, and the Jackal was
thrown in.
The waggon travelled on through a moonlight night, and all the while
the Jackal was throwing the fish out into the road; he then jumped
out himself, and secured a great prize. But a stupid old Hyena
coming by, ate more than her share, for which the Jackal owed her a
grudge; so he said to her, “You can get plenty of fish, too, if you lie in
the way of a waggon as I did, and keep quite still whatever
happens.”
Accordingly, when the next waggon came from the sea, the Hyena
stretched herself out in the road.
“What ugly thing is this?” cried the leader, and kicked the Hyena. He
then took a stick and thrashed her within an inch of her life. The
Hyena, according to the directions of the Jackal, lay quiet as long as
she could; she then got up and hobbled off to tell her misfortune to
the Jackal, who pretended to comfort her.
“What a pity,” said the Hyena, “that I have not such a handsome skin
as you!” [50]
[Contents]
“Look at the Hyena’s tail,” said the rogue, “and you will see who is
the thief.” The man did so, and then thrashed the Hyena till she was
nearly dead. [51]
[Contents]
The Lion, it is said, was ill, and they all went to see him in his
suffering. But the Jackal did not go, because the traces of the people
who went to see him did not turn back. Thereupon, he was accused
by the Hyena, who said, “Though I go to look, yet the Jackal does
not want to come and look at the man’s sufferings.”
Then the Lion let the Hyena go, in order that she might catch the
Jackal; and she did so, and brought him.
The Lion asked the Jackal: “Why did you not come here to see me?”
The Jackal said, “Oh no! when I heard that my uncle was so very ill, I
went to the witch (doctor), to consult him, whether and what
medicine would be good for my uncle against the pain. The doctor
said to me, ‘Go and tell your uncle to take hold of the Hyena and
draw off her skin, and put it on while it is still warm. Then he [52]will
recover.’ The Hyena is one who does not care for my uncle’s
sufferings.”
The Lion followed his advice, got hold of the Hyena, drew the skin
over her ears, whilst she howled with all her might, and put it on. [53]
[Contents]
The Jackal, it is said, came once to the Dove, who lived on the top of
a rock, and said, “Give me one of your little children.” The Dove
answered: “I shall not do anything of the kind.” The Jackal said,
“Give it me at once! Otherwise, I shall fly up to you.” Then she threw
one down to him.
He came back another day, and demanded another little child, and
she gave it to him. After the Jackal had gone, the Heron came, and
asked, “Dove, why do you cry?” The dove answered him: “The