Ebook Computer Security Esorics 2020 25Th European Symposium On Research in Computer Security Esorics 2020 Guildford Uk September 14 18 2020 Proceedings Part I Liqun Chen Online PDF All Chapter

Computer Security ESORICS 2020 25th
European Symposium on Research in

Computer Security ESORICS 2020
Guildford UK September 14 18 2020
Proceedings Part I Liqun Chen
Visit to download the full and correct content document:
https://ebookmeta.com/product/computer-security-esorics-2020-25th-european-symp
osium-on-research-in-computer-security-esorics-2020-guildford-uk-september-14-18-
2020-proceedings-part-i-liqun-chen/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Computer Security ESORICS 2021 26th European Symposium

on Research in Computer Security Darmstadt Germany
October 4 8 2021 Proceedings Part II Lecture Notes in
Computer Science Book 12973
https://ebookmeta.com/product/computer-security-
esorics-2021-26th-european-symposium-on-research-in-computer-
security-darmstadt-germany-october-4-8-2021-proceedings-part-ii-
lecture-notes-in-computer-science-book-12973/
Computer Vision ECCV 2020 16th European Conference

Glasgow UK August 23 28 2020 Proceedings Part I Andrea
Vedaldi
https://ebookmeta.com/product/computer-vision-eccv-2020-16th-
european-conference-glasgow-uk-august-23-28-2020-proceedings-
part-i-andrea-vedaldi/

Glasgow UK August 23 28 2020 Proceedings Part XXVII
Andrea Vedaldi
part-xxvii-andrea-vedaldi/

Glasgow UK August 23 28 2020 Proceedings Part VI Andrea
Vedaldi
part-vi-andrea-vedaldi/
Glasgow UK August 23 28 2020 Proceedings Part XIII
Andrea Vedaldi
part-xiii-andrea-vedaldi/

Glasgow UK August 23 28 2020 Proceedings Part XXIX
Andrea Vedaldi
part-xxix-andrea-vedaldi/

Glasgow UK August 23 28 2020 Proceedings Part IV Andrea
Vedaldi
part-iv-andrea-vedaldi/

Glasgow UK August 23 28 2020 Proceedings Part VIII
Andrea Vedaldi
part-viii-andrea-vedaldi/

Glasgow UK August 23 28 2020 Proceedings Part XXX
Andrea Vedaldi
part-xxx-andrea-vedaldi/
Liqun Chen
Ninghui Li
Kaitai Liang
Steve Schneider (Eds.)
LNCS 12308
Computer Security –
ESORICS 2020
25th European Symposium
on Research in Computer Security, ESORICS 2020
Guildford, UK, September 14–18, 2020, Proceedings, Part I
Lecture Notes in Computer Science 12308
Founding Editors
Gerhard Goos
Karlsruhe Institute of Technology, Karlsruhe, Germany
Juris Hartmanis
Cornell University, Ithaca, NY, USA
Editorial Board Members

Elisa Bertino
Purdue University, West Lafayette, IN, USA
Wen Gao
Peking University, Beijing, China
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Gerhard Woeginger
RWTH Aachen, Aachen, Germany
Moti Yung
Columbia University, New York, NY, USA
More information about this series at http://www.springer.com/series/7410
Liqun Chen Ninghui Li
• •
Kaitai Liang Steve Schneider (Eds.)

•
Computer Security –
ESORICS 2020
25th European Symposium
on Research in Computer Security, ESORICS 2020
Guildford, UK, September 14–18, 2020
Proceedings, Part I
123
Editors
Liqun Chen Ninghui Li
University of Surrey Purdue University
Guildford, UK West Lafayette, IN, USA
Kaitai Liang Steve Schneider
Delft University of Technology University of Surrey
Delft, The Netherlands Guildford, UK
ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-58950-9 ISBN 978-3-030-58951-6 (eBook)
https://doi.org/10.1007/978-3-030-58951-6
LNCS Sublibrary: SL4 – Security and Cryptology
© Springer Nature Switzerland AG 2020

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
The two volume set, LNCS 12308 and 12309, contain the papers that were selected for
presentation and publication at the 25th European Symposium on Research in Com-
puter Security (ESORICS 2020) which was held together with affiliated workshops
during the week September 14–18, 2020. Due to the global COVID-19 pandemic, the
conference and workshops ran virtually, hosted by the University of Surrey, UK. The
aim of ESORICS is to further research in computer security and privacy by establishing
a European forum, bringing together researchers in these areas by promoting the
exchange of ideas with system developers and by encouraging links with researchers in
related fields.
In response to the call for papers, 366 papers were submitted to the conference.
These papers were evaluated on the basis of their significance, novelty, and technical
quality. Except for a very small number of papers, each paper was carefully evaluated
by three to five referees and then discussed among the Program Committee. The papers
were reviewed in a single-blind manner. Finally, 72 papers were selected for presen-
tation at the conference, yielding an acceptance rate of 19.7%. We were also delighted
to welcome invited talks from Aggelos Kiayias, Vadim Lyubashevsky, and Rebecca
Wright.
Following the reviews two papers were selected for Best Paper Awards and they
share the 1,000 EUR prize generously provided by Springer: “Pine: Enabling
privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection
establishment” by Jianting Ning, Xinyi Huang, Geong Sen Poh, Shengmin Xu, Jason
Loh, Jian Weng, and Robert H. Deng; and “Automatic generation of source lemmas in
Tamarin: towards automatic proofs of security protocols” by Véronique Cortier,
Stéphanie Delaune, and Jannik Dreier.
The Program Committee consisted of 127 members across 25 countries. There were
submissions from a total of 1,201 authors across 42 countries, with 24 countries
represented among the accepted papers.
ESORICS 2020 would not have been possible without the contributions of the many
volunteers who freely gave their time and expertise. We would like to thank the
members of the Program Committee and the external reviewers for their substantial
work in evaluating the papers. We would also like to thank the organization/department
chair, Helen Treharne, the workshop chair, Mark Manulis, and all of the workshop
co-chairs, the poster chair, Ioana Boureanu, and the ESORICS Steering Committee. We
are also grateful to Huawei and IBM Research – Haifa, Israel for their sponsorship that
enabled us to support this online event. Finally, we would like to express our thanks to
the authors who submitted papers to ESORICS 2020. They, more than anyone else, are
what made this conference possible.
vi Preface
We hope that you will find the proceedings stimulating and a source of inspiration
for future research.
September 2020 Liqun Chen

Ninghui Li
Kaitai Liang
Steve Schneider
Organization
General Chair
Steve Schneider University of Surrey, UK
Program Chairs
Liqun Chen University of Surrey, UK
Ninghui Li Purdue University, USA
Steering Committee
Sokratis Katsikas (Chair)

Michael Backes
Joachim Biskup
Frederic Cuppens
Sabrina De Capitani di Vimercati
Dieter Gollmann
Mirek Kutylowski
Javier Lopez
Jean-Jacques Quisquater
Peter Y. A. Ryan
Pierangela Samarati
Einar Snekkenes
Michael Waidner
Program Committee
Yousra Aafer University of Waterloo, Canada
Mitsuaki Akiyama NTT, Japan
Cristina Alcaraz UMA, Spain
Frederik Armknecht Universität Mannheim, Germany
Vijay Atluri Rutgers University, USA
Erman Ayday Bilkent University, Turkey
Antonio Bianchi Purdue University, USA
Marina Blanton University at Buffalo, USA
Carlo Blundo Università degli Studi di Salerno, Italy
Alvaro Cardenas The University of Texas at Dallas, USA
Berkay Celik Purdue University, USA
Aldar C-F. Chan BIS Innovation Hub Centre, Hong Kong, China
Sze Yiu Chau Purdue University, USA
viii Organization
Rongmao Chen National University of Defense Technology, China

Yu Chen Shandong University, China
Sherman S. M. Chow The Chinese University of Hong Kong, Hong Kong,
China
Mauro Conti University of Padua, Italy
Frédéric Cuppens Polytechnique Montreal, Canada
Nora Cuppens-Boulahia Polytechnique Montréal, Canada
Marc Dacier Qatar Computing Research Institute (QCRI), Qatar
Sabrina De Capitani di Università degli Studi di Milano, Italy
Vimercati
Hervé Debar Télécom SudParis, France
Stéphanie Delaune University of Rennes, CNRS, IRISA, France
Roberto Di Pietro Hamad Bin Khalifa University, Qatar
Tassos Dimitriou Kuwait University, Kuwait
Josep Domingo-Ferrer Universitat Rovira i Virgili, Spain
Changyu Dong Newcastle University, UK
Wenliang Du Syracuse University, Italy
Haixin Duan Tsinghua University, China
François Dupressoir University of Bristol, UK
Kassem Fawaz University of Wisconsin-Madison, USA
Jose-Luis Ferrer-Gomila University of the Balearic Islands, Spain
Sara Foresti DI, Università degli Studi di Milano, Italy
David Galindo University of Birmingham, UK
Debin Gao Singapore Management University, Singapore
Joaquin Garcia-Alfaro Télécom SudParis, France
Thanassis Giannetsos Technical University of Denmark, Denmark
Dieter Gollmann Hamburg University of Technology, Germany
Stefanos Gritzalis University of the Aegean, Greece
Guofei Gu Texas A&M University, USA
Zhongshu Gu IBM Research, USA
Jinguang Han Queen’s University Belfast, UK
Feng Hao University of Warwick, UK
Juan Hernández-Serrano Universitat Politècnica de Catalunya, Spain
Xinyi Huang Fujian Normal University, China
Syed Hussain Purdue University, USA
Shouling Ji Zhejiang University, China
Ghassan Karame NEC Laboratories Europe, Germany
Sokratis Katsikas Norwegian University of Science and Technology,
Norway
Stefan Katzenbeisser TU Darmstadt, Germany
Ryan Ko The University of Queensland, Australia
Steve Kremer Inria, France
Marina Krotofil FireEye, USA
Yonghwi Kwon University of Virginia, USA
Costas Lambrinoudakis University of Piraeus, Greece
Kyu Hyung Lee University of Georgia, USA
Organization ix
Shujun Li University of Kent, UK

Yingjiu Li Singapore Management University, Singapore
Kaitai Liang Delft University of Technology, The Netherlands
Hoon Wei Lim Trustwave, Singapore
Joseph Liu Monash University, Australia
Rongxing Lu University of New Brunswick, Canada
Xiapu Luo The Hong Kong Polytechnic University, Hong Kong,
China
Shiqing Ma Rutgers University, USA
Leandros Maglaras De Montfort University, UK
Mark Manulis University of Surrey, UK
Konstantinos Royal Holloway, University of London, UK
Markantonakis
Fabio Martinelli IIT-CNR, Italy
Ivan Martinovic University of Oxford, UK
Sjouke Mauw University of Luxembourg, Luxembourg
Catherine Meadows NRL, USA
Weizhi Meng Technical University of Denmark, Denmark
Chris Mitchell Royal Holloway, University of London, UK
Tatsuya Mori Waseda University, Japan
Haralambos Mouratidis University of Brighton, UK
David Naccache Ecole normale supérieur, France
Siaw-Lynn Ng Royal Holloway, University of London, UK
Jianting Ning Singapore Management University, Singapore
Satoshi Obana Hosei University, Japan
Martín Ochoa Universidad del Rosario, Colombia
Rolf Oppliger eSECURITY Technologies, Switzerland
Manos Panousis University of Greenwich, UK
Olivier Pereira UCLouvain, Belgium
Günther Pernul Universität Regensburg, Germany
Joachim Posegga University of Passau, Germany
Indrajit Ray Colorado State University, USA
Kui Ren Zhejiang University, China
Giovanni Russello The University of Auckland, New Zealand
Mark Ryan University of Birmingham, UK
Reihaneh Safavi-Naini University of Calgary, Canada
Brendan Saltaformaggio Georgia Institute of Technology, USA
Pierangela Samarati Università degli Studi di Milano, Italy
Damien Sauveron XLIM, UMR University of Limoges, CNRS 7252,
France
Einar Snekkenes Norwegian University of Science and Technology,
Norway
Yixin Sun University of Virginia, USA
Willy Susilo University of Wollongong, Australia
x Organization
Pawel Szalachowski SUTD, Singapore

Qiang Tang Luxembourg Institute of Science and Technology,
Luxembourg
Qiang Tang New Jersey Institute of Technology, USA
Juan Tapiador Universidad Carlos III de Madrid, Spain
Dave Jing Tian Purdue University, USA
Nils Ole Tippenhauer CISPA, Germany
Helen Treharne University of Surrey, UK
Aggeliki Tsohou Ionian University, Greece
Luca Viganò King’s College London, UK
Michael Waidner Fraunhofer, Germany
Cong Wang City University of Hong Kong, Hong Kong, China
Lingyu Wang Concordia University, Canada
Weihang Wang SUNY University at Buffalo, USA
Edgar Weippl SBA Research, Austria
Christos Xenakis University of Piraeus, Greece
Yang Xiang Swinburne University of Technology, Australia
Guomin Yang University of Wollongong, Australia
Kang Yang State Key Laboratory of Cryptology, China
Xun Yi RMIT University, Australia
Yu Yu Shanghai Jiao Tong University, China
Tsz Hon Yuen The University of Hong Kong, Hong Kong, China
Fengwei Zhang SUSTech, China
Kehuan Zhang The Chinese University of Hong Kong, Hong Kong,
China
Yang Zhang CISPA Helmholtz Center for Information Security,
Germany
Yuan Zhang Fudan University, China
Zhenfeng Zhang Chinese Academy of Sciences, China
Yunlei Zhao Fudan University, China
Jianying Zhou Singapore University of Technology and Design,
Singapore
Sencun Zhu Penn State University, USA
Workshop Chair
Mark Manulis University of Surrey, UK
Poster Chair
Ioana Boureanu University of Surrey, UK
Organization/Department Chair
Helen Treharne University of Surrey, UK
Organization xi
Organizing Chair and Publicity Chair

Kaitai Liang Delft University of Technology, The Netherlands
Additional Reviewers
Abbasi, Ali Chaidos, Pyrros

Abu-Salma, Ruba Chakra, Ranim
Ahlawat, Amit Chandrasekaran, Varun
Ahmed, Chuadhry Mujeeb Chen, Haixia
Ahmed, Shimaa Chen, Long
Alabdulatif, Abdulatif Chen, Min
Alhanahnah, Mohannad Chen, Zhao
Aliyu, Aliyu Chen, Zhigang
Alrizah, Mshabab Chengjun Lin
Anceaume, Emmanuelle Ciampi, Michele
Angelogianni, Anna Cicala, Fabrizio
Anglés-Tafalla, Carles Costantino, Gianpiero
Aparicio Navarro, Francisco Javier Cruz, Tiago
Argyriou, Antonios Cui, Shujie
Asadujjaman, A. S. M. Deng, Yi
Aschermann, Cornelius Diamantopoulou, Vasiliki
Asghar, Muhammad Rizwan Dietz, Marietheres
Avizheh, Sepideh Divakaran, Dinil Mon
Baccarini, Alessandro Dong, Naipeng
Bacis, Enrico Dong, Shuaike
Baek, Joonsang Dragan, Constantin Catalin
Bai, Weihao Du, Minxin
Bamiloshin, Michael Dutta, Sabyasachi
Barenghi, Alessandro Eichhammer, Philipp
Barrère, Martín Englbrecht, Ludwig
Berger, Christian Etigowni, Sriharsha
Bhattacherjee, Sanjay Farao, Aristeidis
Blanco-Justicia, Alberto Faruq, Fatma
Blazy, Olivier Fdhila, Walid
Bolgouras, Vaios Feng, Hanwen
Bountakas, Panagiotis Feng, Qi
Brandt, Markus Fentham, Daniel
Bursuc, Sergiu Ferreira Torres, Christof
Böhm, Fabian Fila, Barbara
Camacho, Philippe Fraser, Ashley
Cardaioli, Matteo Fu, Hao
Castelblanco, Alejandra Galdi, Clemente
Castellanos, John Henry Gangwal, Ankit
Cecconello, Stefano Gao, Wei
xii Organization
Gardham, Daniel Koutroumpouchos, Nikolaos

Garms, Lydia Koutsos, Adrien
Ge, Chunpeng Kuchta, Veronika
Ge, Huangyi Labani, Hasan
Geneiatakis, Dimitris Lai, Jianchang
Genés-Durán, Rafael Laing, Thalia May
Georgiopoulou, Zafeiroula Lakshmanan, Sudershan
Getahun Chekole, Eyasu Lallemand, Joseph
Ghosal, Amrita Lan, Xiao
Giamouridis, George Lavranou, Rena
Giorgi, Giacomo Lee, Jehyun
Guan, Qingxiao León, Olga
Guo, Hui Li, Jie
Guo, Kaiwen Li, Juanru
Guo, Yimin Li, Shuaigang
Gusenbauer, Mathias Li, Wenjuan
Haffar, Rami Li, Xinyu
Hahn, Florian Li, Yannan
Han, Yufei Li, Zengpeng
Hausmann, Christian Li, Zheng
He, Shuangyu Li, Ziyi
He, Songlin Limniotis, Konstantinos
He, Ying Lin, Chao
Heftrig, Elias Lin, Yan
Hirschi, Lucca Liu, Jia
Hu, Kexin Liu, Jian
Huang, Qiong Liu, Weiran
Hurley-Smith, Darren Liu, Xiaoning
Iadarola, Giacomo Liu, Xueqiao
Jeitner, Philipp Liu, Zhen
Jia, Dingding Lopez, Christian
Jia, Yaoqi Losiouk, Eleonora
Judmayer, Aljosha Lu, Yuan
Kalloniatis, Christos Luo, Junwei
Kantzavelou, Ioanna Ma, Haoyu
Kasinathan, Prabhakaran Ma, Hui
Kasra Kermanshahi, Shabnam Ma, Jack P. K.
Kasra, Shabnam Ma, Jinhua
Kelarev, Andrei Ma, Mimi
Khandpur Singh, Ashneet Ma, Xuecheng
Kim, Jongkil Mai, Alexandra
Koay, Abigail Majumdar, Suryadipta
Kokolakis, Spyros Manjón, Jesús A.
Kosmanos, Dimitrios Marson, Giorgia Azzurra
Kourai, Kenichi Martinez, Sergio
Koutroumpouchos, Konstantinos Matousek, Petr
Organization xiii
Mercaldo, Francesco Schmidt, Carsten

Michailidou, Christina Scotti, Fabio
Mitropoulos, Dimitris Shahandashti, Siamak
Mohammadi, Farnaz Shahraki, Ahmad Salehi
Mohammady, Meisam Sharifian, Setareh
Mohammed, Ameer Sharma, Vishal
Moreira, Jose Sheikhalishahi, Mina
Muñoz, Jose L. Shen, Siyu
Mykoniati, Maria Shrishak, Kris
Nassirzadeh, Behkish Simo, Hervais
Newton, Christopher Siniscalchi, Luisa
Ng, Lucien K. L. Slamanig, Daniel
Ntantogian, Christoforos Smith, Zach
Önen, Melek Solano, Jesús
Onete, Cristina Song, Yongcheng
Oqaily, Alaa Song, Zirui
Oswald, David Soriente, Claudio
Papaioannou, Thanos Soumelidou, Katerina
Parkinson, Simon Spielvogel, Korbinian
Paspatis, Ioannis Stifter, Nicholas
Patsakis, Constantinos Sun, Menghan
Pelosi, Gerardo Sun, Yiwei
Pfeffer, Katharina Sun, Yuanyi
Pitropakis, Nikolaos Tabiban, Azadeh
Poettering, Bertram Tang, Di
Poh, Geong Sen Tang, Guofeng
Polato, Mirko Taubmann, Benjamin
Poostindouz, Alireza Tengana, Lizzy
Puchta, Alexander Tian, Yangguang
Putz, Benedikt Trujillo, Rolando
Pöhls, Henrich C. Turrin, Federico
Qiu, Tian Veroni, Eleni
Radomirovic, Sasa Vielberth, Manfred
Rakotonirina, Itsaka Vollmer, Marcel
Rebollo Monedero, David Wang, Jiafan
Rivera, Esteban Wang, Qin
Rizomiliotis, Panagiotis Wang, Tianhao
Román-García, Fernando Wang, Wei
Sachidananda, Vinay Wang, Wenhao
Salazar, Luis Wang, Yangde
Salem, Ahmed Wang, Yi
Salman, Ammar Wang, Yuling
Sanders, Olivier Wang, Ziyuan
Scarsbrook, Joshua Weitkämper, Charlotte
Schindler, Philipp Wesemeyer, Stephan
Schlette, Daniel Whitefield, Jorden
xiv Organization
Wiyaja, Dimaz Yang, Xuechao

Wong, Donald P. H. Yang, Zhichao
Wong, Harry W. H. Yevseyeva, Iryna
Wong, Jin-Mann Yi, Ping
Wu, Chen Yin, Lingyuan
Wu, Ge Ying, Jason
Wu, Lei Yu, Zuoxia
Wuest, Karl Yuan, Lun-Pin
Xie, Guoyang Yuan, Xingliang
Xinlei, He Zhang, Bingsheng
Xu, Fenghao Zhang, Fan
Xu, Jia Zhang, Ke
Xu, Jiayun Zhang, Mengyuan
Xu, Ke Zhang, Yanjun
Xu, Shengmin Zhang, Zhikun
Xu, Yanhong Zhang, Zongyang
Xue, Minhui Zhao, Yongjun
Yamada, Shota Zhong, Zhiqiang
Yang, Bohan Zhou, Yutong
Yang, Lin Zhu, Fei
Yang, Rupeng Ziaur, Rahman
Yang, S. J. Zobernig, Lukas
Yang, Wenjie Zuo, Cong
Yang, Xu
Keynotes
Decentralising Information
and Communications Technology:
Paradigm Shift or Cypherpunk Reverie?
Aggelos Kiayias
University of Edinburgh and IOHK, UK
Abstract. In the last decade, decentralisation emerged as a much anticipated

development in the greater space of information and communications technol-
ogy. Venerated by some and disparaged by others, blockchain technology
became a familiar term, springing up in a wide array of expected and some times
unexpected contexts. With the peak of the hype behind us, in this talk I look
back, distilling what have we learned about the science and engineering of
building secure and reliable systems, then I overview the present state of the art
and finally I delve into the future, appraising this technology in its potential to
impact the way we design and deploy information and communications tech-
nology services.
Lattices and Zero-Knowledge
Vadim Lyubashevsky
IBM Research - Zurich, Switzerland
Abstract. Building cryptography based on the presumed hardness of lattice

problems over polynomial rings is one of the most promising approaches for
achieving security against quantum attackers. One of the reasons for the pop-
ularity of lattice-based encryption and signatures in the ongoing NIST stan-
dardization process is that they are significantly faster than all other
post-quantum, and even many classical, schemes. This talk will discuss the
progress in constructions of more advanced lattice-based cryptographic primi-
tives. In particular, I will describe recent work on zero-knowledge proofs which
leads to the most efficient post-quantum constructions for certain statements.
Accountability in Computing
Rebecca N. Wright
Barnard College, New York, USA
Abstract. Accountability is used often in describing computer-security mech-

anisms that complement preventive security, but it lacks a precise, agreed-upon
definition. We argue for the need for accountability in computing in a variety of
settings, and categorize some of the many ways in which this term is used. We
identify a temporal spectrum onto which we may place different notions of
accountability to facilitate their comparison, including prevention, detection,
evidence, judgment, and punishment. We formalize our view in a utility-theo-
retic way and then use this to reason about accountability in computing systems.
We also survey mechanisms providing various senses of accountability as well
as other approaches to reasoning about accountability-related properties.
This is joint work with Joan Feigenbaum and Aaron Jaggard.
Contents – Part I
Database and Web Security
Pine: Enabling Privacy-Preserving Deep Packet Inspection on TLS

with Rule-Hiding and Fast Connection Establishment . . . . . . . . . . . . . . . . . 3
Jianting Ning, Xinyi Huang, Geong Sen Poh, Shengmin Xu,
Jia-Chng Loh, Jian Weng, and Robert H. Deng
Bulwark: Holistic and Verified Security Monitoring of Web Protocols . . . . . . 23

Lorenzo Veronese, Stefano Calzavara, and Luca Compagna
A Practical Model for Collaborative Databases: Securely Mixing,

Searching and Computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Shweta Agrawal, Rachit Garg, Nishant Kumar, and Manoj Prabhakaran
System Security I
Deduplication-Friendly Watermarking for Multimedia Data

in Public Clouds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Weijing You, Bo Chen, Limin Liu, and Jiwu Jing
DANTE: A Framework for Mining and Monitoring Darknet Traffic . . . . . . . 88

Dvir Cohen, Yisroel Mirsky, Manuel Kamp, Tobias Martin,
Yuval Elovici, Rami Puzis, and Asaf Shabtai
Efficient Quantification of Profile Matching Risk in Social Networks Using

Belief Propagation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Anisa Halimi and Erman Ayday
Network Security I
Anonymity Preserving Byzantine Vector Consensus . . . . . . . . . . . . . . . . . . 133

Christian Cachin, Daniel Collins, Tyler Crain, and Vincent Gramoli
CANSentry: Securing CAN-Based Cyber-Physical Systems against Denial

and Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Abdulmalik Humayed, Fengjun Li, Jingqiang Lin, and Bo Luo
Distributed Detection of APTs: Consensus vs. Clustering . . . . . . . . . . . . . . . 174

Juan E. Rubio, Cristina Alcaraz, Ruben Rios, Rodrigo Roman,
and Javier Lopez
xxii Contents – Part I
Designing Reverse Firewalls for the Real World . . . . . . . . . . . . . . . . . . . . . 193

Angèle Bossuat, Xavier Bultel, Pierre-Alain Fouque, Cristina Onete,
and Thyla van der Merwe
Software Security
Follow the Blue Bird: A Study on Threat Data Published on Twitter. . . . . . . 217
Fernando Alves, Ambrose Andongabo, Ilir Gashi, Pedro M. Ferreira,
and Alysson Bessani
Dynamic and Secure Memory Transformation in Userspace . . . . . . . . . . . . . 237

Robert Lyerly, Xiaoguang Wang, and Binoy Ravindran
Understanding the Security Risks of Docker Hub . . . . . . . . . . . . . . . . . . . . 257

Peiyu Liu, Shouling Ji, Lirong Fu, Kangjie Lu, Xuhong Zhang,
Wei-Han Lee, Tao Lu, Wenzhi Chen, and Raheem Beyah
DE-auth of the Blue! Transparent De-authentication Using Bluetooth

Low Energy Beacon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Mauro Conti, Pier Paolo Tricomi, and Gene Tsudik
Similarity of Binaries Across Optimization Levels and Obfuscation . . . . . . . . 295

Jianguo Jiang, Gengwang Li, Min Yu, Gang Li, Chao Liu, Zhiqiang Lv,
Bin Lv, and Weiqing Huang
HART: Hardware-Assisted Kernel Module Tracing on Arm . . . . . . . . . . . . . 316

Yunlan Du, Zhenyu Ning, Jun Xu, Zhilong Wang, Yueh-Hsun Lin,
Fengwei Zhang, Xinyu Xing, and Bing Mao
Zipper Stack: Shadow Stacks Without Shadow . . . . . . . . . . . . . . . . . . . . . . 338

Jinfeng Li, Liwei Chen, Qizhen Xu, Linan Tian, Gang Shi, Kai Chen,
and Dan Meng
Restructured Cloning Vulnerability Detection Based on Function Semantic

Reserving and Reiteration Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Weipeng Jiang, Bin Wu, Xingxin Yu, Rui Xue, and Zhengmin Yu
LegIoT: Ledgered Trust Management Platform for IoT . . . . . . . . . . . . . . . . 377

Jens Neureither, Alexandra Dmitrienko, David Koisser,
Ferdinand Brasser, and Ahmad-Reza Sadeghi
Machine Learning Security
PrivColl: Practical Privacy-Preserving Collaborative Machine Learning . . . . . 399

Yanjun Zhang, Guangdong Bai, Xue Li, Caitlin Curtis, Chen Chen,
and Ryan K. L. Ko
Contents – Part I xxiii
An Efficient 3-Party Framework for Privacy-Preserving Neural

Network Inference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Liyan Shen, Xiaojun Chen, Jinqiao Shi, Ye Dong, and Binxing Fang
Deep Learning Side-Channel Analysis on Large-Scale Traces . . . . . . . . . . . . 440

Loïc Masure, Nicolas Belleville, Eleonora Cagli,
Marie-Angela Cornélie, Damien Couroussé, Cécile Dumas,
and Laurent Maingault
Towards Poisoning the Neural Collaborative Filtering-Based

Recommender Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Yihe Zhang, Jiadong Lou, Li Chen, Xu Yuan, Jin Li, Tom Johnsten,
and Nian-Feng Tzeng
Data Poisoning Attacks Against Federated Learning Systems . . . . . . . . . . . . 480

Vale Tolpegin, Stacey Truex, Mehmet Emre Gursoy, and Ling Liu
Interpretable Probabilistic Password Strength Meters via Deep Learning. . . . . 502

Dario Pasquini, Giuseppe Ateniese, and Massimo Bernaschi
Polisma - A Framework for Learning Attribute-Based Access

Control Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Amani Abu Jabal, Elisa Bertino, Jorge Lobo, Mark Law,
Alessandra Russo, Seraphin Calo, and Dinesh Verma
A Framework for Evaluating Client Privacy Leakages

in Federated Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Wenqi Wei, Ling Liu, Margaret Loper, Ka-Ho Chow,
Mehmet Emre Gursoy, Stacey Truex, and Yanzhao Wu
Network Security II
An Accountable Access Control Scheme for Hierarchical Content in Named

Data Networks with Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Nazatul Haque Sultan, Vijay Varadharajan, Seyit Camtepe,
and Surya Nepal
PGC: Decentralized Confidential Payment System with Auditability . . . . . . . 591

Yu Chen, Xuecheng Ma, Cong Tang, and Man Ho Au
Secure Cloud Auditing with Efficient Ownership Transfer . . . . . . . . . . . . . . 611

Jun Shen, Fuchun Guo, Xiaofeng Chen, and Willy Susilo
Privacy
Encrypt-to-Self: Securely Outsourcing Storage . . . . . . . . . . . . . . . . . . . . . . 635

Jeroen Pijnenburg and Bertram Poettering
xxiv Contents – Part I
PGLP: Customizable and Rigorous Location Privacy Through

Policy Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Yang Cao, Yonghui Xiao, Shun Takagi, Li Xiong, Masatoshi Yoshikawa,
Yilin Shen, Jinfei Liu, Hongxia Jin, and Xiaofeng Xu
Where Are You Bob? Privacy-Preserving Proximity Testing

with a Napping Party. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Ivan Oleynikov, Elena Pagnin, and Andrei Sabelfeld
Password and Policy
Distributed PCFG Password Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701

Radek Hranický, Lukáš Zobal, Ondřej Ryšavý, Dušan Kolář,
and Dávid Mikuš
Your PIN Sounds Good! Augmentation of PIN Guessing Strategies

via Audio Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
Matteo Cardaioli, Mauro Conti, Kiran Balagani, and Paolo Gasti
GDPR – Challenges for Reconciling Legal Rules with Technical Reality . . . . 736
Mirosław Kutyłowski, Anna Lauks-Dutka, and Moti Yung
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757

Contents – Part II
Formal Modelling
Automatic Generation of Sources Lemmas in TAMARIN: Towards Automatic

Proofs of Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Véronique Cortier, Stéphanie Delaune, and Jannik Dreier
When Is a Test Not a Proof? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Eleanor McMurtry, Olivier Pereira, and Vanessa Teague
Hardware Fingerprinting for the ARINC 429 Avionic Bus . . . . . . . . . . . . . . 42

Nimrod Gilboa-Markevich and Avishai Wool
Applied Cryptography I
Semantic Definition of Anonymity in Identity-Based Encryption and Its

Relation to Indistinguishability-Based Definition . . . . . . . . . . . . . . . . . . . . . 65
Goichiro Hanaoka, Misaki Komatsu, Kazuma Ohara, Yusuke Sakai,
and Shota Yamada
SHECS-PIR: Somewhat Homomorphic Encryption-Based Compact

and Scalable Private Information Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . 86
Jeongeun Park and Mehdi Tibouchi
Puncturable Encryption: A Generic Construction from Delegatable Fully

Key-Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Willy Susilo, Dung Hoang Duong, Huy Quoc Le, and Josef Pieprzyk
Analyzing Attacks
Linear Attack on Round-Reduced DES Using Deep Learning . . . . . . . . . . . . 131

Botao Hou, Yongqiang Li, Haoyue Zhao, and Bin Wu
Detection by Attack: Detecting Adversarial Samples

by Undercover Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Qifei Zhou, Rong Zhang, Bo Wu, Weiping Li, and Tong Mo
Big Enough to Care Not Enough to Scare! Crawling to Attack

Recommender Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Fabio Aiolli, Mauro Conti, Stjepan Picek, and Mirko Polato
xxvi Contents – Part II
Active Re-identification Attacks on Periodically Released Dynamic

Social Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Xihui Chen, Ema Këpuska, Sjouke Mauw, and Yunior Ramírez-Cruz
System Security II
Fooling Primality Tests on Smartcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Vladimir Sedlacek, Jan Jancar, and Petr Svenda
An Optimizing Protocol Transformation for Constructor Finite Variant

Theories in Maude-NPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Damián Aparicio-Sánchez, Santiago Escobar, Raúl Gutiérrez,
and Julia Sapiña
On the Privacy Risks of Compromised Trigger-Action Platforms . . . . . . . . . 251

Yu-Hsi Chiang, Hsu-Chun Hsiao, Chia-Mu Yu,
and Tiffany Hyun-Jin Kim
Plenty of Phish in the Sea: Analyzing Potential Pre-attack Surfaces . . . . . . . . 272

Tobias Urban, Matteo Große-Kampmann, Dennis Tatang,
Thorsten Holz, and Norbert Pohlmann
Post-quantum Cryptography
Towards Post-Quantum Security for Cyber-Physical Systems:

Integrating PQC into Industrial M2M Communication . . . . . . . . . . . . . . . . . 295
Sebastian Paul and Patrik Scheible
CSH: A Post-quantum Secret Handshake Scheme from Coding Theory . . . . . 317

Zhuoran Zhang, Fangguo Zhang, and Haibo Tian
A Verifiable and Practical Lattice-Based Decryption Mix Net

with External Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Xavier Boyen, Thomas Haines, and Johannes Müller
A Lattice-Based Key-Insulated and Privacy-Preserving Signature

Scheme with Publicly Derived Public Key . . . . . . . . . . . . . . . . . . . . . . . . . 357
Wenling Liu, Zhen Liu, Khoa Nguyen, Guomin Yang, and Yu Yu
Post-Quantum Adaptor Signatures and Payment Channel Networks . . . . . . . . 378

Muhammed F. Esgin, Oğuzhan Ersoy, and Zekeriya Erkin
Security Analysis
Linear-Complexity Private Function Evaluation is Practical . . . . . . . . . . . . . 401

Marco Holz, Ágnes Kiss, Deevashwer Rathee, and Thomas Schneider
Contents – Part II xxvii
Certifying Decision Trees Against Evasion Attacks by Program Analysis . . . . 421

Stefano Calzavara, Pietro Ferrara, and Claudio Lucchese
They Might NOT Be Giants Crafting Black-Box Adversarial Examples

Using Particle Swarm Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Rayan Mosli, Matthew Wright, Bo Yuan, and Yin Pan
Understanding Object Detection Through an Adversarial Lens . . . . . . . . . . . 460

Ka-Ho Chow, Ling Liu, Mehmet Emre Gursoy, Stacey Truex,
Wenqi Wei, and Yanzhao Wu
Applied Cryptography II
Signatures with Tight Multi-user Security from Search Assumptions . . . . . . . 485

Jiaxin Pan and Magnus Ringerud
Biased RSA Private Keys: Origin Attribution of GCD-Factorable Keys . . . . . 505

Adam Janovsky, Matus Nemec, Petr Svenda, Peter Sekan,
and Vashek Matyas
MAC-in-the-Box: Verifying a Minimalistic Hardware Design

for MAC Computation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Robert Küennemann and Hamed Nemati
Evaluating the Effectiveness of Heuristic Worst-Case Noise Analysis

in FHE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Anamaria Costache, Kim Laine, and Rachel Player
Blockchain I
How to Model the Bribery Attack: A Practical Quantification Method

in Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
Hanyi Sun, Na Ruan, and Chunhua Su
Updatable Blockchains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590

Michele Ciampi, Nikos Karayannidis, Aggelos Kiayias,
and Dionysis Zindros
PrivacyGuard: Enforcing Private Data Usage Control with Blockchain

and Attested Off-Chain Contract Execution . . . . . . . . . . . . . . . . . . . . . . . . 610
Yang Xiao, Ning Zhang, Jin Li, Wenjing Lou, and Y. Thomas Hou
xxviii Contents – Part II
Applied Cryptography III
Identity-Based Authenticated Encryption with Identity Confidentiality . . . . . . 633

Yunlei Zhao
Securing DNSSEC Keys via Threshold ECDSA from Generic MPC . . . . . . . 654
Anders Dalskov, Claudio Orlandi, Marcel Keller, Kris Shrishak,
and Haya Shulman
On Private Information Retrieval Supporting Range Queries . . . . . . . . . . . . . 674

Junichiro Hayata, Jacob C. N. Schuldt, Goichiro Hanaoka,
and Kanta Matsuura
Blockchain II
2-hop Blockchain: Combining Proof-of-Work and Proof-of-Stake Securely. . . 697

Tuyet Duong, Lei Fan, Jonathan Katz, Phuc Thai,
and Hong-Sheng Zhou
Generic Superlight Client for Permissionless Blockchains. . . . . . . . . . . . . . . 713

Yuan Lu, Qiang Tang, and Guiling Wang
LNBot: A Covert Hybrid Botnet on Bitcoin Lightning Network for Fun

and Profit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Ahmet Kurt, Enes Erdin, Mumin Cebe, Kemal Akkaya,
and A. Selcuk Uluagac
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757

Database and Web Security
Pine: Enabling Privacy-Preserving Deep
Packet Inspection on TLS with
Rule-Hiding and Fast Connection
Establishment
Jianting Ning1,4 , Xinyi Huang1(B) , Geong Sen Poh2 , Shengmin Xu1 ,

Jia-Chng Loh2 , Jian Weng3 , and Robert H. Deng4
1
Fujian Provincial Key Laboratory of Network Security and Cryptology,
College of Mathematics and Informatics,
Fujian Normal University, Fuzhou, China
jtning88@gmail.com, xyhuang81@gmail.com, smxu1989@gmail.com
2
NUS-Singtel Cyber Security Lab, Singapore, Singapore
pohgs@comp.nus.edu.sg, dcsljc@nus.edu.sg
3
College of Information Science and Technology, Jinan University,
Guangzhou, China
cryptjweng@gmail.com
4
School of Information Systems, Singapore Management University,
Singapore, Singapore
robertdeng@smu.edu.sg
Abstract. Transport Layer Security Inspection (TLSI) enables enter-

prises to decrypt, inspect and then re-encrypt users’ traffic before it is
routed to the destination. This breaks the end-to-end security guarantee
of the TLS specification and implementation. It also raises privacy con-
cerns since users’ traffic is now known by the enterprises, and third-party
middlebox providers providing the inspection services may additionally
learn the inspection or attack rules, policies of the enterprises. Two recent
works, BlindBox (SIGCOMM 2015) and PrivDPI (CCS 2019) propose
privacy-preserving approaches that inspect encrypted traffic directly to
address the privacy concern of users’ traffic. However, BlindBox incurs
high preprocessing overhead during TLS connection establishment, and
while PrivDPI reduces the overhead substantially, it is still notable com-
pared to that of TLSI. Furthermore, the underlying assumption in both
approaches is that the middlebox knows the rule sets. Nevertheless, with
the services increasingly migrating to third-party cloud-based setting,
rule privacy should be preserved. Also, both approaches are static in
nature in the sense that addition of any rules requires significant amount
of preprocessing and re-instantiation of the protocols.
In this paper we propose Pine, a new Privacy-preserving inspection
of encrypted traffic protocol that (1) simplifies the preprocessing step of
PrivDPI thus further reduces the computation time and communication
overhead of establishing the TLS connection between a user and a server;
(2) supports rule hiding; and (3) enables dynamic rule addition without
the need to re-execute the protocol from scratch. We demonstrate the
c Springer Nature Switzerland AG 2020
L. Chen et al. (Eds.): ESORICS 2020, LNCS 12308, pp. 3–22, 2020.
https://doi.org/10.1007/978-3-030-58951-6_1
4 J. Ning et al.
superior performance of Pine when compared to PrivDPI through exten-

sive experimentations. In particular, for a connection from a client to a
server with 5,000 tokens and 6,000 rules, Pine is approximately 27%
faster and saves approximately 92.3% communication cost.
Keywords: Network privacy · Traffic inspection · Encrypted traffic
1 Introduction
According to the recent Internet trends report [11], 87% of today’s web traf-
fic was encrypted, compared to 53% in 2016. Similarly, over 94% of web traffic
across Google uses HTTPS encryption [7]. The increasing use of end-to-end
encryption to secure web traffic has hampered the ability of existing middle-
boxes to detect malicious packets via deep packet inspection on the traffic. As
a result, security service providers and enterprises deploy tools that perform
Man-in-the-Middle (MitM) to decrypt, inspect and re-encrypt traffic before the
traffic is sent to the designated server. Such approach is termed as Transport
Layer Security Inspection (TLSI) by the National Security Agency (NSA), which
recently issued an advisory on TLSI [12] citing potential security issues includ-
ing insider threats. TLSI introduces additional risks whereby administrators may
abuse their authorities to obtain sensitive information from the decrypted traffic.
On the other hand, there exists growing privacy concern on the access to users’
data by middleboxes as well as the enterprise gateways. According to a recent
survey on TLSI in the US [16], more than 70% of the participants are concerned
that middleboxes (or TLS proxies) performing TLSI can be exploited by hackers
or used by governments, and close to 50% think it is an invasion to privacy. In
general, participants are acceptable to the use of middleboxes by their employers
or universities for security purposes but also want assurance that these would
not be used by governments for surveillance or by exploited hackers.
To alleviate the above concerns on maintaining security of TLS while ensur-
ing privacy of the encrypted traffic, Sherry et al. [20] introduced a solution called
BlindBox to perform inspection on encrypted traffic directly. However, BlindBox
needs a setup phase that is executed between the middlebox and the client. The
setup phase performs two-party computation where the input of the middlebox
are the rules, which means that the privacy of rules against the middlebox is
not assured. In addition, this setup phase is built based on garbled circuit, and
needs to be executed for every session. Due to the properties of garble circuit,
such setup phase incurs significant computation and communication overheads.
To overcome this limitation, Ning et al. [15] recently proposed PrivDPI with an
improved setup phase. A new obfuscated rule generation technique was intro-
duced, which enables the reuse of intermediate values generated during the first
TLS session across subsequent sessions. This greatly reduces the computation
and communication overheads over a series of sessions. However, there still exists
considerable delay during the establishment of a TLS connection since each client
is required to run a preprocessing protocol for each new connection. In addition,
Pine 5
as we will show in Sect. 4.1, when the domain of the inspection or attack rules
is small, the middlebox could perform brute force guessing for the rules in the
setting of PrivDPI. This means that, as in BlindBox, PrivDPI does not provide
privacy of rules against the middlebox. However, as noted in [20], most solution
providers, such as McAfee, rely on the privacy of their rules in their business
model. More so given the increasingly popular cloud-based middlebox services,
the privacy of the rules should be preserved against the middleboxes.
Given the security and privacy concerns on TLSI, and the current status of
the state-of-the-arts, we seek to introduce a new solution that addresses the fol-
lowing issues, in addition to maintaining the security and privacy provisions of
BlindBox and PrivDPI: (1) Fast TLS connection establishment without prepro-
cessing in order to eliminate the session setup delay incurred in both BlindBox
and PrivDPI; (2) Resisting brute force guessing of the rule sets even for small
rule domains; (3) Supporting lightweight rule addition.
Our Contributions. We propose Pine, a new protocol for privacy-preserving
deep packet inspection on encrypted traffic, for a practical enterprise network
setting, where clients connect to the Internet through an enterprise gateway. The
main contributions are summarized as follows.
– Identifying limitation of PrivDPI. We revisit PrivDPI and demonstrate
that in PrivDPI, when the rule domain is small, the middlebox could forge
new encrypted rules that gives the middlebox the ability to detect the
encrypted traffic with any encrypted rules it generates.
– New solution with stronger privacy guarantee. We propose Pine as the
new solution for the problem of privacy-preserving deep packet inspection,
where stronger privacy is guaranteed. First of all, the privacy of the traffic is
protected unless there exists an attack in the traffic. Furthermore, privacy of
rules is assured against the middlebox, we call this property rule hiding. This
property ensures privacy of rules even when the rule domain is small (e.g.
approximately 3000 rules as in existing Network Intrusion Detection (IDS)
rules), which addresses the limitation of PrivDPI. In addition, privacy of rules
is also assured against the enterprise gateway and the endpoints, we term this
property rule privacy.
– Amortized setup, fast connection establishment. Pine enables the
establishment of a TLS connection with low latency and without the need
for an interactive preprocessing protocol as in PrivDPI and BlindBox. The
latency-incurring preprocessing protocol is performed offline and is only exe-
cuted once. Consequently, there is no per-user-connection overhead. Any
client can setup a secure TLS connection with a remote server without prepro-
cessing delay. In contrast, in PrivDPI and BlindBox, the more rules there are,
the higher the per-connection setup cost is. The speed up of the connection
is crucial for low-latency applications.
– Lightweight rule addition. Pine is a dynamic protocol in that it allows new
rules being added on the fly without affecting the connection between a client
and a server. The rule addition is seamless to the clients in the sense that
the gateway can locally execute the rule addition phase with the middlebox
6 J. Ning et al.
Fig. 1. Pine system architecture.
without any client involvement. This is beneficial as compared to BlindBox

and PrivDPI, where the client would need to re-run the preprocessing protocol
from scratch for every connection.
In addition to stronger privacy protection, we conduct extensive experiments
to demonstrate the superior performance of Pine when compared to PrivDPI.
For a connection from a client to a server with 5,000 tokens and a ruleset of
6,000, Pine is approximately 27% faster than PrivDPI, and saves approximately
92.3% communication cost. In particular, the communication cost of Pine is
independent of the number of rules, while the communication cost of PrivDPI
grows linear with the number of rules.
2 Protocol Overview
Pine shares a similar architecture with BlindBox and PrivDPI, as illustrated
in Fig. 1. There are five entities in Pine: Client, Server, Gateway (GW), Rule
Generator (RG) and Middlebox (MB). Client and server are the endpoints
that send and receive network traffic protected by TLS. GW is a device located
between a set of clients and servers that allows network traffic to flow from one
endpoint to another endpoint. RG generates the attack rule tuples for MB.
The attack rule tuples will be used by MB to detect attacks in the network
traffic. Each attack rule describes an attack and contains one or more keywords
to be matched in the network communication. Hereafter, we will use the terms
“rule” and “attack rule” interchangeably. The role of RG can be performed by
organization such as McAfee [18]. MB is a network device that inspects and
filters network traffic using the attack rule tuples issued by RG.
System Requirements. The primary aim is to provide a privacy-preserving
mechanism that can detect any suspicious traffic while at the same time ensure
the privacy of endpoint’s traffic. In particular, the system requirements include:
– Traffic inspection: Pine retains similar functionality of traditional IDS, i.e.,
to find a suspicious keyword in the packet.
– Rule privacy: The endpoints and GW should not learn the attack rules (i.e.,
the keywords). This is required especially for security solution providers that
generate comprehensive and proprietary rule sets as their unique proposition
that help to detect malicious traffic more effectively.
Pine 7
– Traffic privacy: On one hand, MB is not supposed to learn the plaintexts of

the network traffic, except for the portions of the traffic that match the rules.
On the other hand, GW is not allowed to read the content of the traffic.
– Rule hiding: MB is not supposed to learn the attack rules from the attack
rule tuples issued by RG in a cloud-based setting where MB resides on a
cloud platform. In such a case the cloud-based middlebox is not fully trusted.
The security solution providers would want to protect the privacy of their
unique rule sets, as was discussed previously in describing rule privacy.
Threat Model. There are three types of attackers described as follows.

– Malicious endpoint. The first type of attacker is the endpoint (i.e., the client
or the server). Similar to BlindBox [20] and PrivDPI [15], at most one of the
two endpoints is assumed to be malicious but not both. Such an attacker is
the same as the attacker in the traditional IDS whose main goal is to evade
detection. As in the traditional IDS [17], it is a fundamental requirement
that at least one of the two endpoints is honest. This is because if two mali-
cious endpoints agree on a private key and send the traffic encrypted by this
particular key, detection of malicious traffic would be infeasible.
– The attacker at the gateway. As in conventional network setting, GW is
assumed to be semi-honest. That is, GW honestly follows the protocol spec-
ification but may try to learn the plaintexts of the traffic. GW may also try
to infer the rules from the messages it received.
– The attacker at the middlebox. MB is assumed to be semi-honest, which
follows the protocol but may attempt to learn more than allowed from the
messages it received. In particular, it may try to read the content of the traffic
that passed through it. In addition, it may try to learn the underlying rules
of the attack rule tuples issued by RG.
Protocol Flow. We present how each phase functions at a high level as follows.
– Initialization. RG initializes the system by setting the public parameters.
– Setup. GW subscribes the inspection service from RG, in which RG receives
a shared secret from GW. RG issues the attack rule tuples to MB. The client
and the server will derive some parameters from the key of the primary TLS
handshake protocol and install a Pine HTTPS configuration, respectively.
– Preprocessing. In this phase, GW interacts with MB to generate a set of
reusable randomized rules. In addition, GW generates and sends the initial-
ization parameters to the clients within its domain.
– Preparation of Session Detection Rule. In this phase, the reusable randomized
rules will be used to generate session detection rules.
– Token Encryption. In this phase, a client generates the encrypted token for
each token in the payload. The encrypted tokens will be sent along with the
traffic encrypted from the payload using regular TLS.
– Gateway Checking. For the first session, GW checks whether the attached
parameters sent by the client is well-formed. This phase will be run when a
client connects to a server for the first time.
8 J. Ning et al.
– Traffic Inspection. MB generates a set of encrypted rules and performs inspec-

tion using these encrypted rules.
– Traffic Validation. One endpoint performs traffic validation in case the other
endpoint is malicious.
– Rule Addition. A set of new attack rules will be added in this phase. GW
interacts with MB to generate the reusable randomized rule set corresponding
to these new attack rules.
3 Preliminaries
Complexity Assumption. The decision Diffie-Hellman (DDH) problem is
stated as follows: given g, g x , g y , g z , decide whether z = xy (modulo the order
of g), where x, y, z ∈ Zp . We say that a PPT algorithm B has advantage in
x y xy x y z
solving the DDH problem if | Pr[B (g,g ,g ,g ) = 1] − Pr[B (g,g ,g ,g ) = 1]| ≥ ,
where the probability above is taken over the coins of B, g, x, y, z.
Definition 1. The DDH assumption holds if no PPT adversary has advantage
at least in solving the DDH problem.
Pseudorandom function. A pseudorandom function family PRF is a family
of functions {PRFa : U → V |a ∈ A} such that A could be efficiently samplable
and all PRF, U , V , A are indexed by a security parameter λ. The security
property of a PRF is: for any PPT algorithm B running in λ, it holds that
| Pr[B PRFa (·) = 1] − Pr[B R(·) = 1]| = negl(λ), where negl is a negligible function
of λ, a and R are uniform over A and (U → V ) respectively. The probability
above is taken over the coins of B, a and R. For notational simplicity, we consider
one version of the general pseudorandom function notion that is custom-made to
fit our implementation. Specifically, the pseudorandom function PRF considered
in this paper maps λ-bit strings to elements of Zp . Namely, PRFa : {0, 1}λ → Zp ,
where a ∈ G.
Payload Tokenization. As in BlindBox and PrivDPI, we deploy window-based
tokenization to tokenize keywords of a client’s payload. Window-based tokeniza-
tion follows a simple sliding window algorithm. We adopt 8 bytes per token when
we implement the protocol. That is, given a payload “secret key”, an endpoint
will generate the tokens “secret k”, “ecret ke” and “cret key”.
4 Protocol
In this section, we first point out the limitation of PrivDPI. To address this prob-
lem and further reduce the connection delay, we then present our new protocol.
4.1 Limitation of PrivDPI

We show how PrivDPI fails when the domain of rule is small. We say that
the domain of rule is small if one can launch brute force attack to guess the
underlying rules given the public parameters. We first recall the setup phase of
Pine 9
PrivDPI. In the setup phase, a middlebox receives (si , Ri , sig(Ri )) for rule ri ,
where Ri = g αri +si and sig(Ri ) is the signature of Ri . With si and Ri , MB
obtains the value g αri . Recall that in PrivDPI, the value A = g α is included in
the PrivDPI HTTPS configuration, MB could obtain this value via installing a
PrivDPI HTTPS configuration. Since the domain of rule is small, with A and
g αri , MB can launch brute force attack to obtain the value of ri via trying every
?
candidate value v by checking Av = g αri within the rule domain. In this way,
MB could obtain the value ri for Ri and rj for Rj . After the completion of
2
preprocessing protocol, MB obtains the reusable obfuscated rule Ii = g kαri +k
kαri +k2 kαrj +k2
for rule ri . Now, MB knows values ri , rj , Ii = g , Ij = g . It
(ri −rj )−1 kα kα
can then computes (Ii /Ij ) to obtain a value g . With g , ri and
2 2 2
Ii = g kαri +k , it can compute Ii /(g kα )ri = g k . With g k and g kα , MB could
forge the reusable obfuscated rule successfully for any rule it chooses. With the
forged (but valid) reusable obfuscated rule, MB could detect more than it is
allowed, which violates the privacy requirement of the encrypted traffic.
4.2 Description of Our Protocol
Initialization. Let R be the domain of rules, PRF be a pseudorandom function,

n be the number of rules and [n] be the set {1, ..., n}. Let AESa (salt) be the AES
encryption with key a and message salt. Let Enca (salt) = AESa (salt) mod R,
where R is an integer used to reduce the ciphertext size [20]. The initialization
phase takes in a security parameter λ and chooses a group G of prime order p.
It then chooses a generator g of G, and sets the public parameters as (G, p, g).
Setup. GW chooses a key g w for the pseudorandom function PRF, where w ∈
Z∗p . It subscribes the service from RG and sends w to RG. RG first computes
W = g w . For a rule set {ri ∈ R}i∈[n] , for i ∈ [n], RG chooses a randomness
ki ∈ Zp , calculates rw,i = PRFW (ri ) and Ri = g rw,i +ki . RG chooses a signature
scheme with sk as the secret key and pk as the public key. It then signs {Ri }i∈[n]
with sk and generates the signature of Ri for i ∈ [n], denote by σi . Finally,
it sends the attack rule tuples {(Ri , σi , ki )}i∈[n] to MB. Here, g w is the key
ingredient for ensuring the property of rule hiding. The key observation here is
that since MB does not know g w or w, it cannot guess the underlying ri of Ri via
brute forcing all the possible keywords it chooses. In particular, for a given attack
rule tuple (Ri , σi , ki ), MB could obtain the value g rw,i by computing Ri /g ki .
Due to the property of pseudorandom function, rw,i is pseudorandom, and hence
g rw,i is pseudorandom. Without the knowledge of g w or w, it is impossible to
obtain ri even if MB brute forces all possible keywords it chooses.
On the other hand, the client and the server install a Pine HTTPS configura-
tion which contains a value R. Let ksk be the key of the regular TLS handshake
protocol established by a client and a server. With ksk , the client (resp. the
server) derives three keys kT , c, ks . Specifically, kT is a standard TLS key, which
is used to encrypt the traffic; c is a random value from Zp , which is used for
generating session detection rules; ks is a random value from Zp , which is used
as a randomness to mask the parameters sent from the client to the server.
10 J. Ning et al.
Preprocessing. In order to accelerate the network connection between a client

and a server (compared to PrivDPI), we introduce a new approach that enables
fast connection establishment without executing the preprocessing process per
client as in PrivDPI. We start from the common networking scenario in an
enterprise setting where there exists a gateway located between a set of clients
and a server. The main idea is to let the gateway be the representative of the
clients within its domain, who will run the preprocessing protocol with MB for
only once. Both the clients and the gateway share the initialization parameters
required for connection with the server. In this case, the connection between
a client and a server can be established instantly without needing any prepro-
cessing as in PrivDPI since the preprocessing is performed by the gateway and
MB beforehand. In other words, we offload the operation of preprocessing to
the gateway, which dramatically reduces the computation and communication
overhead for the connection between a client and a server.
Specifically, in this phase, GW runs a preprocessing protocol with MB to
generate a reusable randomized rule set as well as the initialization parameters
for the clients within the domain of GW. The preprocessing protocol is run after
the TLS handshake protocol, which is described in Fig. 2. Upon the completion
of this phase, MB obtains a set of reusable randomized rules which enable MB
to perform deep packet detection over the encrypted traffic across a series of
sessions. The values I0 , I1 and I2 enable each client within the domain of GW to
generate the encrypted tokens. Hence, for any network connection with a server,
a client does not need to run the preprocessing phase with MB as compared to
BlindBox and PrivDPI. This substantially reduces the delay and communication
cost for the network connection between the client and the server, especially for
large rule set. Furthermore, in case of adding new rules, a client does not need
to re-run the preprocessing protocol as BlindBox and PrivDPI does. This means
rule addition has no effect on the client side.
Preparation of Session Detection Rule. A set of session detection rules
will be generated in this phase. These session detection rules are computed,
tailored for every session, from the reusable randomized rules generated from
the preprocessing protocol. The generated session detection rules are used as the
inputs to generate the corresponding encrypted rules. The protocol is described
in Fig. 3, and it is executed for every new session.
Token Encryption. Similar to BlindBox and PrivDPI, we adopt the window-

based tokenization approach as described in Sect. 3. After the tokenization step,
a client obtains a set of tokens corresponding to the payload. For the first time
that a client connects with a server, the client derives a salt from c and stores the
salt for future use, where c is the key derived from the key ksk of the TLS hand-
shake protocol. For each token t, a client runs the token encryption algorithm
as described in Fig. 4. To prevent the count table T from growing too large, the
client will clear T every Z sessions (e.g., Z = 1, 000). In this case, the client will
send a new salt to MB, where salt ← salt + maxt countt + 1.
Pine 11
In the above, we describe the token encryption when the endpoint is a client.
When the endpoint is a server, the server will first run the same tokenization
step, and encrypts the tokens as the step 1 and step 2 described in Fig. 4.
Gateway Checking. This phase will be executed when a client connects to
a server for the first time. For the traffic sent from the client to a server for
the first time, the client attaches (salt, Cks , Cw , Cx , Cy ). This enables the server
to perform the validation of the encrypted traffic during the traffic validation
phase. Cks and ks serve as the randomness to mask the values g w , g x and g xy . The
correctness of Cks will be checked once the traffic reached the server. To ensure
that g w , g x and g xy are masked by Cks correctly, GW simply checks whether
the following equations hold: Cw = (Cks )w , Cx = (Cks )x and Cy = (Cks )xy .
Traffic Detection. During the traffic detection phase, MB performs the equal-
ity check between the encrypted tokens in the traffic and the encrypted rules it
kept. The traffic detection algorithm is described as follows. MB first initial-
izes a counter table CTr to record the encrypted rule Eri for each rule ri . The
encrypted rule Eri for rule ri is computed as Eri = EncSi (salt + countri ), where
countri is initialized to be 0. MB then generates a search tree that contains the
encrypted rules. If a match is found, MB takes the corresponding action, deletes
the old Eri corresponding to ri , increases countri by 1, computes and inserts a
new Eri into the tree, where the new Eri is computes as EncSi (salt + countri ).
Traffic Validation. If it is the first session between a client and a server, upon
receiving (salt, Cks , Cw , Cx , Cy ), the server checks whether the equation Cks =
g ks holds, where ks is derived (by the server) from the key ksk of the regular TLS
−1
handshake protocol. If the equation holds, the server computes (Cw )(ks ) = g w ,
−1 −1
(Cx )(ks ) = g x , (Cy )(ks ) = g xy . With the computed (g w , g x , g xy ), the server
runs the same token encryption algorithm on the plaintext decrypted from the
Input: MB has inputs {(Ri , σi , ki )}i∈[n] , where Ri = g rw,i +ki ; GW has input pk.
The protocol is run between GW and MB:
1. GW chooses a random x ∈ Z∗p , computes X = g x , and sends X to MB.
2. MB sends {(Ri , σi )}i∈[n] to GW.
3. Upon receiving {(Ri , σi )}i∈[n] , GW does:
(1) Check if σi is a valid signature on Ri using pk for i ∈ [n]; if not, halt and
output ⊥.
(2) Choose a random y ∈ Z∗p and compute Y = g y . Compute Xi = (Ri · Y )x =
g xrw,i +xki +xy for i ∈ [n], and return {Xi }i∈[n] to MB.
4. MB computes Ki = Xi /(X)ki = g xrw,i +xy for i ∈ [n] as the reusable randomized
rule for rule ri .
5. GW sets I0 = xy, I1 = x, I2 = g w as the initialization parameters, and sends
(I0 , I1 , I2 ) to the clients within its domain.
Fig. 2. Preprocessing protocol

12 J. Ning et al.
Input: The client (resp. the server) has input c. MB has input {Ki }i∈[n] .
The protocol is run among a client, a server and MB:
1. The client computes C = g c and sends C to MB (through GW). Meanwhile,
the server sets Cs = c and sends Cs to MB.
2. MB checks whether C equals g Cs . If yes, for i ∈ [n], it calculates Si = (Ki ·C)Cs =
g c(xrw,i +xy+c) as the session detection rule for rule ri .
Fig. 3. Session detection rule preparation protocol
encrypted TLS traffic as the client does. The server then checks whether the
resulting encrypted tokens equal the encrypted tokens received from MB. If
not, it indicates that the client is malicious. On the other hand, if it is the traffic
sent from the server to the client, the client will do the same token encryption
algorithm as the server does, and compares the resulting encrypted tokens with
the received encrypted tokens from MB as well.
Rule Addition. In practice, new rules may be required to be added into the
system. For a new rule ri ∈ R for i ∈ [n ], RG randomly chooses ki ∈ Zp ,

calculates rw,i = PRFW (ri ) and Ri = g rw,i +ki . It then signs the generated Ri
with sk to generate the signature σi of Ri . Finally, it sends the newly added
attack rule tuples {Ri , σi , ki }i∈[n ] to MB. For the newly added attack rule
tuples, the rule addition protocol is described in Fig. 5, which is a simplified
protocol of the preprocessing protocol.
Input: The client has inputs (I0 , I1 , I2 ), a token t, the random keys ks and c, the value
R, a salt salt and a counter table T, where I0 = xy, I1 = x and I2 = g w .
The algorithm is run by the client as follows:
1. Compute I = I0 + c = xy + c.
2. For each token t:
• If there exists no tuple corresponding to t in T: compute tw = PRFI2 (t), Tt =
g c(I1 tw +I) = g c(xtw +xy+c) , set countt = 0, compute the encryption of t as
Et = EncTt (salt). Finally, insert tuple (t, Tt , countt ) into T.
• If there exists a tuple (t , Tt , countt ) in T where t = t: update countt =
countt + 1, and compute the encryption of t as Et = EncTt (salt + countt ).
3. If it is the first session, compute Cks = g ks , Cw = (I2 )ks = g wks , Cx = g I1 ks =
g xks and Cy = g I0 ks = g xyks . The parameters (salt, Cks , Cw , Cx , Cy ) will be sent
along with the encrypted token Et for token t.
Fig. 4. Token encryption algorithm

Pine 13
Input: MB has newly added attack rule tuple set {(Ri , σi , ki )}i∈[n ] , where Ri =

g rw,i +ki ; GW has inputs Y , x.
1. MB sends {(Ri , σi )}i∈[n ] to GW.
2. Upon receiving {(Ri , σi )}i∈[n ] , GW does: (1) Check if σi is a valid signature on
Ri using pk for i ∈ [n ]; if not, halt and output ⊥. (2) Compute Xi = (Ri · Y )x =

g xrw,i +xki +xy for i ∈ [n ], and send {Xi }i∈[n ] to MB.

3. MB computes the reusable randomized rule Ki = Xi /(X)ki for i ∈ [n ].
Fig. 5. Rule addition protocol
5 Security
5.1 Middlebox Searchable Encryption
Definition. For a message space M, a middlebox searchable encryption scheme

consists of the following algorithms:
– Setup(λ): Takes a security parameter λ, outputs a key sk.

– TokenEnc(t1 , ..., tn , sk): Takes a token set {ti ∈ M}i∈[n] and the key sk, out-
puts a set of ciphertexts (c1 , ..., cn ) and a salt salt.
– RuleEnc(r, sk): Takes a rule r ∈ M, the key sk, outputs an encrypted rule er .
– Match(er , (c1 , ..., cn ), salt): Takes an encrypted rule er , ciphertexts {ci }i∈[n]
and salt, outputs the set of indexes {indi }i∈[l] , where indi ∈ [n] for i ∈ [l].
Correctness. We refer the reader to Appendix A for its definition.

Security. It is defined between a challenger C and an adversary A.
– Setup. C runs Setup(λ) and obtains the key sk.

– Challenge. A randomly chooses two sets of tokens S0 = {t0,1 , ..., t0,n }, S1 =
{t1,1 , ..., t1,n } from M and gives the two sets to C. Upon receiving S0 and
S1 , C flips a random coin b, runs TokenEnc(tb,1 , ..., tb,n , sk) to obtain a set of
ciphertexts (c1 , ..., cn ) and a salt salt. It then gives (c1 , ..., cn ) and salt to A.
– Query. A randomly chooses a set of rules (r1 , ..., rm ) from M and gives the
rules to C. Upon receiving the set of rules, for i ∈ [m], C runs RuleEnc(ri , sk)
to obtain encrypted rule eri . C then gives the encrypted rules {eri }i∈[m] to A.
– Guess. A outputs a guess b of b.
Let I0,i be the index set that match ri in S0 and I1,i be the index set that match
ri in S1 . If I0,i = I1,i and b = b for all i, we say that the adversary wins the above
game. The advantage of the adversary in the game is defined as Pr[b = b] − 1/2.
Definition 2. A middlebox searchable encryption scheme is secure if no PPT

adversary has a non-negligible advantage in the game.
14 J. Ning et al.
Construction. The construction below captures the main structure from the
security point of view.
– Setup(λ): Let PRF be a pseudorandom function. Generate x, y, c, w ∈ Zp , set
(x, y, c, g w ) as the key.
– TokenEnc(t1 , ..., tn , sk): Let salt be a random salt. For i ∈ [n], do: (a) Let
count be the number of times that token ti repeats in the sequence t1 ,...,ti−1 ;
(b) Calculate tw,i = PRFgw (ti ), Tti = g c(xtw,i +xy+c) , ci = H(Tti , salt + count).
Finally, the algorithm outputs (c1 , ..., cn ) and salt.
– RuleEnc(r, sk): Compute rw = PRFgw (r), S = g c(xrw +xy+c) , output H(S).
Theorem 1. Suppose H is a random oracle, the construction in Sect. 5.1 is a
secure middlebox searchable encryption scheme.
The proof of this theorem is provided in Appendix B.1.
5.2 Preprocessing Protocol

Definition. The preprocessing protocol is a two-party computation between
GW and MB. Let f : {0, 1}∗ × {0, 1}∗ → {0, 1}∗ × {0, 1}∗ be the process of the
computation, where for every inputs (a, b), the outputs are (f1 (a, b), f2 (a, b)). In
our protocol, the input of GW is x and the input of MB is a derivation of r,
and only MB receives the output.
Security. The security requirements include: (a) GW should not learn the
value of each rule; (b) MB cannot forge any new reusable randomized rule that
is different from the reusable randomized rules obtained during the preprocessing
protocol. Intuitively, the second requirement is satisfied if MB cannot obtain
the value x. Since both of GW and MB are assumed to be semi-honest, we
adopt the security definition with static semi-honest adversaries as in [6]. Let π
be the two-party protocol for computing f , Viewπi be the ith party’s view during
the execution of π, and Outputπ be the joint output of GW and MB from
the execution of π. For our protocol, since f is a deterministic functionality, we
adopt the security definition for deterministic functionality as shown below.
Definition 3. Let f : {0, 1}∗ × {0, 1}∗ → {0, 1}∗ × {0, 1}∗ be a deterministic
functionality. We say that π securely computes f in the presence of static semi-
honest adversaries if (a) Outputπ equals f (a, b); (b) there exist PPT algorithms
c c
B1 and B2 such that (1) {B1 (a, f1 (a, b))} ≡ {Viewπ1 (a, b)}, (2) {B2 (b, f2 (a, b))} ≡
{Viewπ2 (a, b)}, where a, b ∈ {0, 1}∗ and |a| = |b|.
Protocol. In Fig. 6, we provide a simplified protocol that outlines the main
structure of the preprocessing protocol.
Lemma 1. No computationally unbounded adversary can guess a rule ri with
probability greater than 1/|R| with input Ri .
The proof of this lemma is provided in Appendix B.2.
Theorem 2. The preprocessing protocol securely computes f in the presence of
static semi-honest adversaries assuming the DDH assumption holds.
Pine 15
Inputs: GW has inputs x, y ∈ Zp ; MB has inputs ({Ri , ki }i∈[n] ), where Ri = g rw,i +ki .
1. GW computes X = g x , and sends X to MB.
2. MB sends {Ri }i∈[n] to GW.
3. GW computes Xi = (Ri · g y )x for i ∈ [n], and send {Xi }i∈[n] to MB.
4. MB computes Ki = Xi /(X)ki as the reusable randomized rule for rule ri .
Fig. 6. Simplified preprocessing protocol
5.3 Token Encryption

It captures the security requirement that GW cannot learn the underlying token
when given an encrypted token.
Definition. For a message space M, a token encryption scheme is as follows:
• Setup(λ): Takes as input a security parameter λ, outputs a secret key sk and

the public parameters pk.
• Enc(pk, sk, t): Takes as input the public parameters pk, a secret key sk and a
token t ∈ M, outputs a ciphertext c.
Security. It is defined between a challenger C and an adversary A.

– Setup: C runs Setup(λ) and sends the public parameters pk to A.
– Challenge: A randomly chooses two tokens t0 , t1 from M and sends them to
C. C flips a random coin b ∈ {0, 1}, runs c ← Enc(pk, sk, tb ), and sends c to A.
– Guess: A outputs a guess b of b.
The advantage of an adversary is defined to be Pr[b = b] − 1/2.
Definition 4. A token encryption scheme is secure if no PPT adversary has a

non-negligible advantage in the security game.
Construction. The construction presented below outlines the main structure

from the security point of view.
– Setup(λ): Let PRF be a pseudorandom function. Choose random value

x, y, c, w ∈ Zp , calculate p1 = g c , p2 = g w , p3 = x and p4 = y. Finally,
set c as sk and (p1 , p2 , p3 , p4 ) as pk.
– Enc(pk, sk, t): Let salt be a random salt. Calculate tw = PRFp2 (t), Tt =
g c(xtw +xy+c) , c = H(Tt , salt). Output c and salt.
Theorem 3. Suppose H is a random oracle, the construction in Sect. 5.3 is a

secure token encryption scheme.

16 J. Ning et al.
5.4 Rule Hiding

It captures the security requirement that MB cannot learn the underlying rule
when given an attack rule tuple (issued by RG).
Definition. For a message space M, a rule hiding scheme is defined as follows:
– Setup(λ): Takes as input a security parameter λ, outputs a secret key sk and
the public parameters pk.
– RuleHide(pk, sk, r): Takes as input the public parameters pk, a secret key sk
and a rule r ∈ M, outputs a hidden rule.
Security. The security definition for a rule hiding scheme is defined between a
challenger C and an adversary A as follows.
– Setup: C runs Setup(λ) and gives the public parameters to A.

– Challenge: A chooses two random rules r0 , r1 from M, and sends them to C.
Upon receiving r0 and r1 , C flips a random coin b, runs RuleHide(pk, sk,rb )
and returns the resulting hidden rule to A.
– Guess: A outputs a guess b of b.
Construction.
– Setup(λ): Let PRF be a pseudorandom function. Choose random k, w ∈ Zp ,
set g w as sk, k as pk.
– RuleHide(pk, sk, r): Calculate rw = PRFsk (r), R = g rw +k , and output R.
Theorem 4. Suppose PRF is a pseudorandom function, the construction in

Sect. 5.4 is a secure rule hiding scheme.
6 Performance Evaluations
We investigate the performance of the network connection between a client and
a server. Since PrivDPI perfoms better than BlindBox, we only present the
comparison with PrivDPI. Let an one-round connection be a connection from
the client to the server. The running time of a one-round connection reflects
how fast a client can be connected to a server, and the communication cost
captures the amount of overhead data need to be transferred for establishing
this connection. Ideally, the running time for one-round connection should be
as small as possible. The less running time it incurs, the faster a client can
connect to a server. Similarly, it is desirable to minimize network communication
overhead. We test the running time and the communication cost of one-round
connection for our protocol and PrivDPI respectively. Our experiments are run
on a Intel(R) Core i7-8700 CPU running at 3.20 Ghz with 8 GB RAM under
64bit Linux operating system. The CPU supports AES-NI instructions, where
Pine 17
1000 4000 1000

PrivDPI PrivDPI PrivDPI
900 Pine 3500 Pine 900 Pine
Communication cost (kb)

3000 800
800
2500 700
Time (ms)
Time (ms)
700
2000 600
600
1500 500
500
1000 400
400 500 300
300 0 200
0 1000 2000 3000 4000 5000 6000 0 1000 2000 3000 4000 5000 6000 0 2000 4000 6000 8000 10000
Number of rules Number of rules Number of tokens
(a) (b) (c)

1400 1000 1600
PrivDPI PrivDPI PrivDPI
1200 Pine 900 Pine 1400 Pine

1000 800 1200
Time (ms)
800 700 1000
600 600 800
400 500 600
200 400 400
0 300 200
0 2000 4000 6000 8000 10000 0 500 1000 1500 2000 2500 3000 0 500 1000 1500 2000 2500 3000
Number of tokens Number of added rules Number of added rules
(d) (e) (f)
Fig. 7. Experimental performances
the encryption of token and the encryption of rule reflect this hardware support.
The experiments are built on Charm-crypto [1], and is based on NIST Curve
P-256. As stated in Sect. 3, both the rules and the tokens consist of 8 bytes. For
simplicity, the payload that we test does not contain repeated tokens. We test
each case for 20 times and takes the average.
How does the number of rules influence the one-round connection?
Figure 7a illustrates the running time for one-round connection with 5,000 tokens
when the number of rules range from 600 to 6,000. It is demonstrated that Pine
takes less time than PrivDPI for each case, the more rules, the less time Pine
takes compared to PrivDPI. This means that it takes less time for a client in Pine
to connect to a server. In particular, for 5,000 tokens and 6,000 rules, it takes
approximately 665 ms for Pine, while PrivDPI takes approximately 912 ms. That
is, the delay for one-round connection of Pine is 27% less than PrivDPI; for 5,000
tokens and 3,000 rules, it takes approximately 488 ms for Pine, while PrivDPI
takes approximately 616 ms. In other words, a client in Pine connects to a server
with 20.7% faster speed than PrivDPI. Figure 7b shows the communication cost
for one-round connection with 5,000 tokens when the number of rules range from
600 to 6,000. The communication cost of PrivDPI grows linearly with the number
of rules, while for Pine it is constant. The more rules, the more communication
cost PrivDPI incurs. This is because the client in PrivDPI needs to run the
preprocessing protocol with MB, and the communication cost incurred by this
preprocessing protocol is linear with the number of rules.
How does the number of tokens influence the one-round connec-
tion? We fix the number of rules to be 3,000, and test the running time and
communication cost when the number of tokens range from 1,000 to 10,000.
18 J. Ning et al.
Figure 7c shows that the running time of Pine is linear with the number of tokens
in the payload, the same as PrivDPI. However, for each case, the time consumed
of Pine is less than PrivDPI, this is due to the following two reasons. The first
is that a client in Pine does not need to perform the preprocessing protocol for
the 3,000 rules. The second is that, the encryption of a token in PrivDPI mainly
takes one multiplication in G, one exponentiation in G, and one AES encryption.
While in Pine, the encryption of a token mainly takes one hash operation, one
exponentiation in G, and one AES encryption. That is, the token encryption of
Pine is faster than that of PrivDPI. Figure 7d shows the communication cost of
one-round connection with 3,000 rules when the number of tokens range from
1,000 to 10,000. Similar to the running time, the communication costs of Pine
and PrivDPI are both linear with the number of tokens, but Pine incurs less
communication than PrivDPI. This is due to the additional communication cost
of the preprocessing protocol in PrivDPI for 3,000 rules.
How does the number of newly added rules influence the one-round
connection? We test the running time and communication cost with 3,000 rules
and 5,000 tokens when the number of newly added rules range from 300, to
3,000. Figure 7e shows that Pine takes less time than PrivDPI. For 3,000 newly
added rules, Pine takes 424.96 ms, while PrivDPI takes 913.52 ms. That is, Pine
is 53.48% faster than PrivDPI. Figure 7f shows that the communication cost
of Pine is less than PrivDPI. In particular, the communication cost of Pine is
independent of the number of newly added rules, while PrivDPI is linear with
the number of newly added rules. This is because the client in Pine does not
need to perform preprocessing protocol online.
7 Related Work
Our protocol is constructed based on BlindBox proposed by Sherry et al. [20] and
PrivDPI proposed by Ning et al. [15], as was stated in the introduction. Blind-
Box introduces privacy-preserving deep packet inspection on encrypted traffic
directly, while PrivDPI utilises an obfuscated rule generation mechanism with
improved performance compared to BlindBox. Using the construction in Blind-
Box as the underlying component, Lan et al. [9] further proposed Embark that
leverages on a trusted enterprise gateway to perform privacy-preserving detec-
tion in a cloud-based middlebox setting. In Embark, the enterprise gateway needs
to be fully trusted and learns the content of the traffic and the detection rules,
although in this case the client does not need to perform any operation as in our
protocol. Our work focuses on the original setting of BlindBox and PrivDPI with
further performance improvements, new properties and stronger privacy guar-
antee, while considering the practical enterprise gateway setting, in which the
gateway needs not be fully trusted. Canard et al. [4] also proposed a protocol,
BlindIDS, based on the concept of BlindBox, that has a better performance. The
protocol consists of a token-matching mechanism that is based on pairing-based
public key operation. Though practical, it is not compatible to TLS protocol.
Pine 19
Another related line of work focuses on accountability of the middlebox.

This means the client and the server are aware of the middlebox that performs
inspection on the encrypted traffic and are able to verify the authenticity of these
middleboxes. Naylor et al. [14] first proposed such a scheme, termed mcTLS,
where the existing TLS protocol is modified in order to achieve the accountability
properties. However, Bhargavan et al. [3] showed that mcTLS can be tampered
by an attacker to create confusion on the identity of the server that a middlebox
is connected to, as well as the possibility for the attacker to inject its own data
to the network. Due to this, a formal model on analyzing this type of protocols
was proposed. Naylor et al. [13] further proposed a scheme, termed mbTLS,
which does not modify the TLS protocol, thus allowing authentication of the
middleboxes without needing to replace the existing TLS protocol. More recently,
Lee et al. [10] proposed maTLS, a protocol that performs explicit authentication
and verification of security parameters.
There are also proposals that analyse encrypted traffic without decrypting
or inspecting the encrypted payloads. Machine learning models were utilised
to detect anomalies based on the meta data of the encrypted traffic. Anderson
et al. [2] proposed such techniques for malware detection on encrypted Traffic.
Trusted hardware has also been deployed for privacy-preserving deep packet
inspection. Most of the proposals utilize the secure enclave of Intel SGX. The
main idea is to give the trusted hardware, resided in the middlebox, the session
key. These include SGX-Box proposed by Han et al. [8], SafeBricks by Poddar
et al. [19] and ShieldBox by Trach et al. [21] and LightBox by Duan et al. [5].
We note that our work can be combined with the accountability protocols,
as well as the machine learning based works to provide comprehensive encrypted
inspection that encompasses authentication and privacy.
8 Conclusion
In this paper, we proposed Pine, a protocol that allows inspection of encrypted
traffic in a privacy-preserving manner. Pine builds upon the settings of BlindBox
and techniques of PrivDPI in a practical setting, yet enables hiding of rule sets
from the middleboxes with significantly improved performance compared to the
two prior works. Furthermore, the protocol allows lightweight rules addition on
the fly, which to the best of our knowledge has not been considered previously.
Pine utilises the common practical enterprise setting where clients establish con-
nections to Internet servers via an enterprise gateway, in such a way that the
gateway assists in establishing the encrypted rule sets without learning the con-
tent of the client’s traffic. At the same time, a middlebox inspects the encrypted
traffic without learning both the underlying rules and content of the traffic. We
demonstrated the improved performance of Pine over PrivDPI through extensive
experiments. We believe Pine is a promising approach to detect malicious traffic
amid growing privacy concerns for both corporate and individual users.
Acknowledgments. This work is supported in part by Singapore National Research

Foundation (NRF2018NCR-NSOE004-0001) and AXA Research Fund, in part by
Another random document with
no related content on Scribd:
copied by the Rev. J. Rath (Rhenish Missionary, formerly in Damara
Land, now at Sarepta Knils River), and accompanied with a German
translation by him. 5 [27]
Among these pieces there are seven ghost stories, four accounts of
transformation of men or animals, eleven other household tales, one
legend, and one fable. This last piece (No. 11, pp. 27, 29) is probably
of Hottentot origin. I have therefore thought it best to give it a place
in this little book (No. 14), where it precedes that Hottentot Fable, to
which its concluding [28]portions bear such a striking resemblance. It
is not unlikely that the beginning of this Hottentot Fable of The
Giraffe and the Tortoise is missing. It may have been similar to the
beginning of the corresponding one in Damara. As far as it goes the
Hottentot Fable is however evidently more original than the o Tyi-
hereró text. As a specimen of o Tyi-hereró household tales, I have
given Rath’s fifteenth piece, the story of The Unreasonable Child to
whom the Dog gave its Deserts.
You will also approve of my having added the Zulu legend of the
Origin of Death, which in its mixture of Fable and Myth, and even in
several details of its composition, shows a great analogy to the
Hottentot treatment of the same subject, of which I am able to give
here four different versions.
A second version of two or three other fables, and of one legend,

has also been given from one of the two important manuscripts in
German, regarding the Hottentots and their language, prepared for
you by Mr. Knudsen. 6 The same manuscript [29]supplied also a
legend of The Origin of Difference in Modes of Life between
Hottentots and Bushmen, which we do not yet possess in the
Hottentot language.
To make our available stock of Nama Hottentot literature quite

complete, three fables and four tales [30]have been taken from Sir
James Alexander’s “Expedition,” &c., and inserted here, with only
few insignificant verbal alterations.
The “Songs of Praise,” given as notes to some of the Fables in this

volume, are merely intended as specimens of Hottentot poetry. They
can hardly be expected to amuse or interest the general reader—at
least, not in the form in which they appear here, though a Longfellow
might be able to render some of them in a way that would make
them attractive.
In the same manner the materials contained in these Hottentot

Fables might be worked out similarly to Goethe’s “Reinecke Fuchs;”
and we should hereby probably gain an epical composition, which,
though not ranking so high as the latter poem, would yet, as regards
the interest of its subject-matter, far exceed Longfellow’s “Hiawatha”
in adaptation to the general taste.
How much Native productions gain when represented skilfully and

properly, your admirable work on “Polynesian Mythology” has shown.
But you had sterner and more important work on hand, and so I have
had to do this without you. That it does not appear in a still more
imperfect form, I owe [31]mainly to the help of one who naturally
takes the greatest interest in all my pursuits.
In writing the last lines of this Preface, the interest which I feel for
these Hottentot Fables is almost fading away before those rich
treasures of your library which have just arrived from England; and
as all our present efforts are of course given to the proper settling of
these jewels of our library, I can merely send, with grateful
acknowledgments, our most fervent wishes for your well-doing, and
our sincere hope of seeing you, at no distant day, again in the midst
of us.
Believe me,
My dear Sir George,
Yours most faithfully,
W. H. I. BLEEK.
Capetown, April, 1863. [33]
1 Cisgariepian, from the Nama point of view, i.e., to the North of the Orange
River. ↑
2 I give here some extracts from Mr. Wallmann’s letter, dated Barmen, 13th April,
1850, which was the only help of a grammatical or lexical nature then available
for me in my study of this Nama translation of Luke’s Gospel:—
“I transmit hereby Luke’s Gospel in Namaqua, … which I can lend you, however,
only for four weeks, as I have already previously promised it to some one else.
“Should your labours permit it, I wish to request you to make a little trial whether
the Namaqua is somewhat related to the South African family of Languages. For
the present a mere negative decision on this point is all that is wanted, and I
should like to have very soon the opinion of some good philologist regarding it.
Moffat [16]states that when he gave specimens of Namaqua to a Syrian who came
from Egypt, he was told that he (the Syrian) had seen slaves in the market of Cairo
who were of lighter colour than other Africans, and whose language resembled
that of the Namaqua. Moffat also says that some ancient authors have mentioned
a nation in the interior of Africa who were very similar to the Hottentots. Moffat
seems himself, however, to ascribe little value to these accounts, for his guesses
fall at once upon the Chinese. According to communications from our Missionary
Knudsen, the Namaqua language seems well formed. He mentions as personal
pronouns:—
Tita saaz χyb sada sako χyku
I thou (sāts) he (ǁẽip) we you they (ǁĕiku)
but to show the modifications which the pronouns undergo according to the
gender, and whether the person (spoken to) is included or excluded (in the first
person plural), the following examples of inclusive or exclusive forms are given:—
“We are captains.”
(incl.) Sake ke kauauke mascul.
(excl.) Sike ke kauauke
(incl.) Sase ke kautase

fem.
(excl.) Sise ke kautase
(incl.) Sada ke tana-khoida

com.
(excl.) Sida ke tana-khoida
(incl.) Sakhom ke kauaukhoma

dual. mascul.
(excl.) Sikhom ke kauaukhoma [17]
(incl.) Saam he kautama

dual. fem.
(excl.) Siim ke kautama
(incl.) Saam ke tana-khoima

dual. com.
(excl.) Siim ke tana-khoima
“The second person of the plural is said to have not more than half as many
distinctions; and the third person plural has only the following:—
χyku ke kauauga—mascul.
χyte ke kautate—fem.
χyn ke tana-khoina—com.
χykha ke kauaukha—dual. mascul.
χyra ke kautara—dual. fem.
χyra ke tana-khoira—dual. com.
“You will therefore oblige me by looking into the Namaqua Luke, and by having the
kindness to write me your opinion regarding it.” ↑
3 Report of the Correspondence and Paper read at the General Meeting of the
Syro-Egyptian Society, Session of 1851 and 1852. Read at the Anniversary
Meeting, held April 20th, 1852, 8vo. pp. 6, 8. ↑
4 “Ethnology of the Indo-Pacific Islands.” By J. R. Logan, Esq., Hon. Fellow of the
Ethnological Society. Language, Part ii. “The Races and Languages of S.E.
Asia, considered in relation to those of the Indo-Pacific Islands,” Chapter v.,
sections i. to vi. [From the Journal of the Indian Archipelago and Eastern Asia,
June and December, 1853, to December, 1854.] Singapore: Printed by Jakob
Baptist, 8vo., pp. 229, 294, sec. 6. The Semitico-African [20]Languages, viz.:—1.
General Characters, p. 229; 2. Egyptian, p. 248; 3. Hottentot, p. 248; 4. Shemo-
Hamitic, or Assyro-Berber, p. 259. ↑
5 Mr. Rath’s Manuscript consists of sixty-one pages, with double columns,
foolscap folio. It contains the following pieces:—
The Spectre
1. Sweethearts, pp. 1, 2.
The Lion
2. Husbands, pp. 2, 5.
Tenacity
3. of a Loving Mother’s Care, pp. 5, 6.
The Girl
4. who ran after her Father’s Bird, pp. 6, 12.
The Handsome
5. Girl, pp. 12, 15.
The Little
6. Bushman Woman, pp. 17, 18.
Punishment
7. of Imposition, pp. 19, 21.
The Spectre
8. who Fell in Love with his Son’s Wife, pp. 22, 23.
The Lunatic,
9. p. 23. [27]
The10.
Girls who Escaped from the Hill Damaras, pp. 24, 26.
The11.
Elephant and the Tortoise, pp. 27, 29.
The12.
Two Wives, pp. 29, 33.
The13.
Lion who took different Shapes, pp. 34, 35.
The14.
Little Girl left in the Well by her wicked Companions, pp. 35, 38.
The15.
Unreasonable Child to whom the Dog gave its Deserts, pp. 39, 43
Rutanga,
16. p. 44.
The17.
Ghost of the Man who was Killed by a Rhinoceros in
consequence of his Father’s Curse, pp. 45, 47.
The18.
Trials of Hambeka, a Spirit risen from the Dead, pp. 47, 50.
The19.
Little Girl who was teased by an Insect, p. 51.
The20.
same as 16 (Rutanga) p. 52.
Conjugal
21. Love after Death, p. 53.
The22.
Bad Katjungu and the Good Kahavundye, pp. 54, 57.
The23.
Wife who went after her Husband, pp. 57, 59.
The24.
Little Girl Murdered by the Hill Damara, pp. 59, 61.
6 The title of Mr. Knudsen’s first Manuscript is, “Südafrica: Das Hottentot-Volk;
Notizzen (Manuscript) H. C. Knudsen.” 4to., p. 12. Its contents are, Bushman
Land, [29]p. 3; the different kinds of Rain, p. 3; Bethany (in Great Namaqualand),
p. 3; the Damara, p. 4; the Grassy Plain, p. 4; the Diseases, pp. 4, 5; Birdsnests, p.
5; Marriage and Wedding among the Namaqua, p. 5; Extent of Authority among
the Namaqua, p. 5; Similarity with the Jewish manner of Thinking, Counting,
Eating, Drinking, Praying, Mode of Speech, and manner of Reckoning
Relationship, p. 6; Heitsi Eibip or Kabip, p. 7; Origin of the Modes of Life of the
Namaqua and Bushmen, pp. 7, 8; Coming of Age among the Hottentots, p. 8;
Names of Hottentot Tribes and their probable Etymology, pp. 8, 9; Are the
Hottentots of Egyptian or Phœnician Origin? p. 9; Are the Hottentots of Jewish or
Moabitic Origin? pp. 9, 10; Appendix, pp. 11, 12.
Mr. Knudsen’s second Manuscript has the following title, “Stoff zu einer Grammatik
in der Namaquasprache (Manuscript), H. C. Knudsen.” 4to. pp. 29. After a few
general introductory remarks, and a short explanation of the Hottentot Alphabet,
Mr. Knudsen treats of the different Parts of Speech:—I. Nouns, pp. 3, 4; II.
Adjectives, pp. 4, 5; III. Pronouns, pp. 5, 10; IV. Numerals, p. 11; V. Verbs, pp. 12,
24; Interrogative Sentences, pp. 25, 26; Concluding Remarks, pp. 26, 29. ↑
[Contents]
I.
JACKAL FABLES.
[Contents]
1. THE LION’S DEFEAT.

(The original, in the Hottentot language, is in Sir G. Grey’s Library, G. Krönlein’s
Manuscript, pp. 19, 20.)
The wild animals, it is said, were once assembled at the Lion’s.

When the Lion was asleep, the Jackal persuaded the little Fox 1 to
twist a rope of ostrich sinews, in order to play the Lion a trick. They
took ostrich sinews, twisted them, and fastened the rope to the
Lion’s tail, and the other end of the rope they tied to a shrub. When
the Lion awoke, and saw that he was tied up, he became angry, and
called the animals together. When they had assembled, he said
(using this form of conjuration)— [34]
“What child of his mother and father’s love,

Whose mother and father’s love has tied me?”
Then answered the animal to whom the question was first put—
“I, child of my mother and father’s love,

I, mother and father’s love, I have not done it.”
All answered the same; but when he asked the little Fox, the little
Fox said—
“I, child of my mother and father’s love,

I, mother and father’s love, have tied thee!”
Then the Lion tore the rope made of sinews, and ran after the little
Fox. But the Jackal said—
“My boy, thou son of the lean Mrs. Fox, thou wilt never be caught.”
Truly the Lion was thus beaten in running by the little Fox. [35]
[Contents]
2. THE HUNT OF THE LION AND JACKAL.

The Lion and the Jackal, it is said, were one day lying in wait for
elands. The Lion shot (with the bow) and missed, but the Jackal hit
and sang out, “Hah! Hah!” The Lion said, “No, you did not shoot
anything. It was I who hit.” The Jackal answered, “Yea, my father,
thou hast hit.” Then they went home in order to return when the
eland was dead, and cut it up. The Jackal, however, turned back,
unknown to the Lion, hit his nose so that the blood ran on the spoor
of the elands, and followed their track thus, in order to cheat the
Lion. When he had gone some distance, he returned by another way
to the dead eland, and creeping into its carcase, cut out all the fat.
Meanwhile the Lion followed the bloodstained spoor of the Jackal,

thinking that it was elands’ blood, and only when he had gone some
distance did he find out that he had been deceived. He then returned
on the [36]Jackal’s spoor, and reached the dead eland, where, finding
the Jackal in its carcase, he seized him by his tail and drew him out
with a swing.
The Lion upbraided the Jackal with these words: “Why do you cheat
me?” The Jackal answered: “No, my father, I do not cheat you; you
may know it, I think. I prepared this fat for you, father.” The Lion said:
“Then take the fat and bring it to your mother” (the Lioness); and he
gave him the lungs to take to his own wife and children.
When the Jackal arrived, he did not give the fat to the Lion’s wife, but
to his own wife and children; he gave, however, the lungs to the
Lion’s wife, and he pelted the Lion’s little children with the lungs,
saying:
“You children of the big-pawed one!

You big-pawed ones!”
He said to the Lioness, “I go to help my father” (the Lion); but he

went quite away with his wife and children. [37]
[Contents]
3. THE LION’S SHARE.

(From a German original Manuscript in Sir G. Grey’s Library, viz., H. C. Knudsen’s
“Notes on the Hottentots,” pp. 11, 12.)
The Lion and the Jackal went together a-hunting. They shot with
arrows. The Lion shot first, but his arrow fell short of its aim; but the
Jackal hit the game, and joyfully cried out, “It has hit.” The Lion
looked at him with his two large eyes; the Jackal, however, did not
lose his countenance, but said, “No, Uncle, I mean to say that you
have hit.” Then they followed the game, and the Jackal passed the
arrow of the Lion without drawing the latter’s attention to it. When
they arrived at a cross-way, the Jackal said, “Dear Uncle, you are old
and tired; stay here.” The Jackal went then on a wrong track, beat
his nose, and, in returning, let the blood drop from it like traces of
game. “I could not find anything,” he said, “but I met with traces of
blood. You had better go yourself to look for it. In the meantime I
shall go this other way.” The Jackal soon found the killed animal,
crept inside of it, and devoured the best portion; [38]but his tail
remained outside, and when the Lion arrived, he got hold of it, pulled
the Jackal out, and threw him on the ground with these words: “You
rascal!” The Jackal rose quickly again, complained of the rough
handling, and asked, “What have I then now done, dear Uncle? I
was busy cutting out the best part.” “Now let us go and fetch our
wives,” said the Lion; but the Jackal entreated his dear Uncle to
remain at the place because he was old. The Jackal went then away,
taking with him two portions of the flesh, one for his own wife, but the
best part for the wife of the Lion. When the Jackal arrived with the
flesh, the children of the Lion saw him, began to jump, and clapping
their hands, cried out, “There comes Uncle with flesh!” The Jackal
threw, grumbling, the worst portion to them, and said, “There, you
brood of the big-eyed one!” Then he went to his own house and told
his wife immediately to break up the house, and to go where the
killed game was. The Lioness wished to do the same, but he forbade
her, and said that the Lion would himself come to fetch her.
When the Jackal, with his wife and children, had arrived in the
neighbourhood of the killed animal, he ran into a thorn bush,
scratched his face so that it bled, and thus made his appearance
before the Lion, [39]to whom he said, “Ah! what a wife you have got.
Look here, how she scratched my face when I told her that she
should come with us. You must fetch her yourself; I cannot bring
her.” The Lion went home very angry. Then the Jackal said, “Quick,
let us build a tower.” They heaped stone upon stone, stone upon
stone, stone upon stone; and when it was high enough, everything
was carried to the top of it. When the Jackal saw the Lion
approaching with his wife and children, he cried out to him, “Uncle,
whilst you were away we have built a tower, in order to be better able
to see game.” “All right,” said the Lion; “but let me come up to you.”
“Certainly, dear Uncle; but how will you manage to come up? We
must let down a thong for you.” The Lion ties himself to the thong,
and is drawn up; but when he is nearly at the top the thong is cut by
the Jackal, who exclaims, as if frightened, “Oh, how heavy you are,
Uncle! Go, wife, fetch me a new thong.” (“An old one,” he said aside
to her.) The Lion is again drawn up, but comes of course down in the
same manner. “No,” said the Jackal, “that will never do; you must,
however, manage to come up high enough, so that you may get a
mouthful at least.” Then aloud he orders his wife to prepare a good
piece, but aside he tells her to make a [40]stone hot, and to cover it
with fat. Then he drew up the Lion once more, and, complaining that
he is very heavy to hold, he tells him to open his mouth, whereupon
he throws the hot stone down his throat. When the Lion has
devoured it, he entreats and requests him to run as quickly as
possible to the water. [41]
[Contents]
4. THE JACKAL’S BRIDE.

The Jackal, it is said, married the Hyena, and carried off a cow
belonging to ants, to slaughter her for the wedding; and when he had
slaughtered her, he put the cow-skin over his bride; and when he
had fixed a pole (on which to hang the flesh), he placed on the top of
the pole (which was forked) the hearth for cooking, in order to cook
upon it all sorts of delicious food. There came also the Lion to the
spot, and wished to go up. The Jackal, therefore, asked his little
daughter for a thong with which he could pull the Lion up, and he
began to pull him up; and when his face came near to the cooking-
pot, he cut the thong in two, so that the Lion tumbled down. Then the
Jackal upbraided his little daughter with these words: “Why do you
give me such an old thong?” And he added, “Give me a fresh thong.”
She gave him a new thong, and he pulled the Lion up again, and
when his face came near the pot, which stood on [42]the fire, he said,
“Open your mouth.” Then he put into his mouth a hot piece of quartz
which had been boiled together with the fat, and the stone went
down, burning his throat. Thus died the Lion.
There came also the ants running after the cow, and when the Jackal
saw them he fled. Then they beat the bride in her brookaross dress.
The Hyena, believing that it was the Jackal, said—
“You tawny rogue! have you not played at beating long enough?
Have you no more loving game than this?”
But when she had bitten a hole through the cow-skin, she saw that
they were other people; then she fled, falling here and there, yet she
made her escape. [43]
[Contents]
5. THE WHITE MAN AND THE SNAKE.

(The original, in the Hottentot language, is in Sir G. Grey’s Library, G.
Krönlein’s Manuscript, pp. 5, 6.)
A White Man, it is said, met a Snake upon whom a large stone had
fallen and covered her, so that she could not rise. The White Man
lifted the stone off the Snake, but when he had done so, she wanted
to bite him. The White Man said, “Stop! let us both go first to some
wise people.” They went to the Hyena, and the White Man asked
him, “Is it right that the Snake should want to bite me, though I
helped her, when she lay under a stone and could not rise?”
The Hyena (who thought he would get his share of the White Man’s
body) said: “If you were bitten what would it matter?”
Then the Snake wanted to bite him, but the White Man said again:
“Wait a little, and let us go to other wise people, that I may hear
whether this is right.”
They went and met the Jackal. The White Man said to the Jackal: “Is
it right that the Snake wants [44]to bite me, though I lifted up the
stone which lay upon her?”
The Jackal replied: “I do not believe that the Snake could be covered
by a stone and could not rise. Unless I saw it with my two eyes, I
would not believe it. Therefore, come let us go and see at the place
where you say it happened whether it can be true.”
They went, and arrived at the place where it had happened. The
Jackal said: “Snake, lie down, and let thyself be covered.”
The Snake did so, and the White Man covered her with the stone;
but although she exerted herself very much, she could not rise. Then
the White Man wanted again to release the Snake, but the Jackal
interfered, and said: “Do not lift the stone. She wanted to bite you;
therefore she may rise by herself.”
Then they both went away and left the Snake under the stone. [45]
[Contents]
6. ANOTHER VERSION OF THE SAME FABLE.

(From a German original Manuscript in Sir G. Grey’s Library, H. C. Knudsen’s
“Notes on the Hottentots,” p. 11.)
A Dutchman was walking by himself, and saw a Snake lying under a

large stone. The Snake implored his help; but when she had become
free, she said, “Now I shall eat you.”
The Man answered, “That is not right. Let us first go to the Hare.”
When the Hare had heard the affair, he said, “It is right.” “No,” said
the Man, “let us ask the Hyena.”
The Hyena declared the same, saying, “It is right.”
“Now let us at last ask the Jackal,” said the Man in his despair.
The Jackal answered very slowly and considerately, doubting the

whole affair, and demanding to see first the place, and whether the
Man was able to lift the stone. The Snake lay down, and the Man, to
prove the truth of his account, put the stone again over her.
When she was fast, the Jackal said, “Now let her lie there.” [46]
[Contents]
7. CLOUD-EATING.
THE HYENA.
Thou who makest thy escape from the tumult!

Thou wide, roomy tree!
Thou who gettest thy share (though with trouble!)
Thou cow who art strained at the hocks! 2
Thou who hast a plump round knee!
Thou the nape of whose neck is clothed with hair!
Thou with the skin dripping as if half-tanned!
Thou who hast a round, distended neck!
Thou eater of the Namaqua,
Thou big-toothed one!
The Jackal and the Hyena were together, it is said, when a white
cloud rose. The Jackal ascended upon it, and ate of the cloud as if it
were fat.
When he wanted to come down, he said to the Hyena, “My sister, as

I am going to divide with [47]thee, catch me well.” So she caught him,
and broke his fall. Then she also went up and ate there, high up on
the top of the cloud.
When she was satisfied, she said, “My greyish brother, now catch
me well.” The greyish rogue said to his friend, “My sister, I shall
catch thee well. Come therefore down.”
He held up his hands, and she came down from the cloud, and when
she was near, the Jackal cried out (painfully jumping to one side),
“My sister, do not take it ill. Oh me! oh me! A thorn has pricked me,
and sticks in me.” Thus she fell down from above, and was sadly
hurt.
Since that day, it is said, that the Hyena’s left hind foot is shorter and
smaller than the right one. [48]
[Contents]
8. FISH-STEALING.
(From Sir James E. Alexander’s “Expedition of Discovery into the Interior of
Africa,” vol. ii. pp. 246, 247.)
THE HYENA.
(Addressing her young ones, on her return from a marauding

expedition, with regard to the perils she had encountered).
The fire threatens,

The stone threatens,
The assegais threaten,
The guns threaten,
Yet you seek food from me.
My children,
Do I get anything easily?
Once upon a time a Jackal, who lived on the borders of the colony,
saw a waggon returning from the seaside laden with fish. He tried to
get into the waggon from behind, but he could not; he then ran on
before, and lay in the road as if dead. The waggon came up to him,
and the leader cried to the driver, “Here is a fine kaross for your
wife!” [49]
“Throw it into the waggon,” said the driver, and the Jackal was
thrown in.
The waggon travelled on through a moonlight night, and all the while
the Jackal was throwing the fish out into the road; he then jumped
out himself, and secured a great prize. But a stupid old Hyena
coming by, ate more than her share, for which the Jackal owed her a
grudge; so he said to her, “You can get plenty of fish, too, if you lie in
the way of a waggon as I did, and keep quite still whatever
happens.”
“So!” mumbled the Hyena.
Accordingly, when the next waggon came from the sea, the Hyena
stretched herself out in the road.
“What ugly thing is this?” cried the leader, and kicked the Hyena. He
then took a stick and thrashed her within an inch of her life. The
Hyena, according to the directions of the Jackal, lay quiet as long as
she could; she then got up and hobbled off to tell her misfortune to
the Jackal, who pretended to comfort her.
“What a pity,” said the Hyena, “that I have not such a handsome skin
as you!” [50]
[Contents]
9. WHICH WAS THE THIEF?

(From Sir James E. Alexander’s “Expedition of Discovery into the Interior of
Africa,” vol. ii. p. 250.)
A Jackal and a Hyena went and hired themselves to a man to be his

servants. In the middle of the night the Jackal rose and smeared the
Hyena’s tail with some fat, and then ate all the rest of it which was in
the house. In the morning the man missed his fat, and he
immediately accused the Jackal of having eaten it.
“Look at the Hyena’s tail,” said the rogue, “and you will see who is
the thief.” The man did so, and then thrashed the Hyena till she was
nearly dead. [51]
[Contents]
10. THE LION’S ILLNESS.

The Lion, it is said, was ill, and they all went to see him in his
suffering. But the Jackal did not go, because the traces of the people
who went to see him did not turn back. Thereupon, he was accused
by the Hyena, who said, “Though I go to look, yet the Jackal does
not want to come and look at the man’s sufferings.”
Then the Lion let the Hyena go, in order that she might catch the
Jackal; and she did so, and brought him.
The Lion asked the Jackal: “Why did you not come here to see me?”
The Jackal said, “Oh no! when I heard that my uncle was so very ill, I
went to the witch (doctor), to consult him, whether and what
medicine would be good for my uncle against the pain. The doctor
said to me, ‘Go and tell your uncle to take hold of the Hyena and
draw off her skin, and put it on while it is still warm. Then he [52]will
recover.’ The Hyena is one who does not care for my uncle’s
sufferings.”
The Lion followed his advice, got hold of the Hyena, drew the skin
over her ears, whilst she howled with all her might, and put it on. [53]
[Contents]
11. THE DOVE AND THE HERON.

The Jackal, it is said, came once to the Dove, who lived on the top of
a rock, and said, “Give me one of your little children.” The Dove
answered: “I shall not do anything of the kind.” The Jackal said,
“Give it me at once! Otherwise, I shall fly up to you.” Then she threw
one down to him.
He came back another day, and demanded another little child, and
she gave it to him. After the Jackal had gone, the Heron came, and
asked, “Dove, why do you cry?” The dove answered him: “The

Ebook Computer Security Esorics 2020 25Th European Symposium On Research in Computer Security Esorics 2020 Guildford Uk September 14 18 2020 Proceedings Part I Liqun Chen Online PDF All Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook Computer Security Esorics 2020 25Th European Symposium On Research in Computer Security Esorics 2020 Guildford Uk September 14 18 2020 Proceedings Part I Liqun Chen Online PDF All Chapter

Uploaded by

Copyright:

Available Formats

Computer Security ESORICS 2020 25th

European Symposium on Research in

Computer Security ESORICS 2021 26th European Symposium

Computer Vision ECCV 2020 16th European Conference

Computer Vision ECCV 2020 16th European Conference

Computer Vision ECCV 2020 16th European Conference

Computer Vision ECCV 2020 16th European Conference

Computer Vision ECCV 2020 16th European Conference

Computer Vision ECCV 2020 16th European Conference

Computer Vision ECCV 2020 16th European Conference

Editorial Board Members

Kaitai Liang Steve Schneider (Eds.)

ISSN 0302-9743 ISSN 1611-3349 (electronic)

© Springer Nature Switzerland AG 2020

September 2020 Liqun Chen

Sokratis Katsikas (Chair)

Rongmao Chen National University of Defense Technology, China

Shujun Li University of Kent, UK

Pawel Szalachowski SUTD, Singapore

Organizing Chair and Publicity Chair

Abbasi, Ali Chaidos, Pyrros

Gardham, Daniel Koutroumpouchos, Nikolaos

Mercaldo, Francesco Schmidt, Carsten

Wiyaja, Dimaz Yang, Xuechao

University of Edinburgh and IOHK, UK

Abstract. In the last decade, decentralisation emerged as a much anticipated

IBM Research - Zurich, Switzerland

Abstract. Building cryptography based on the presumed hardness of lattice

Barnard College, New York, USA

Abstract. Accountability is used often in describing computer-security mech-

Database and Web Security

Pine: Enabling Privacy-Preserving Deep Packet Inspection on TLS

Bulwark: Holistic and Verified Security Monitoring of Web Protocols . . . . . . 23

A Practical Model for Collaborative Databases: Securely Mixing,

Deduplication-Friendly Watermarking for Multimedia Data

DANTE: A Framework for Mining and Monitoring Darknet Traffic . . . . . . . 88

Efficient Quantification of Profile Matching Risk in Social Networks Using

Anonymity Preserving Byzantine Vector Consensus . . . . . . . . . . . . . . . . . . 133

CANSentry: Securing CAN-Based Cyber-Physical Systems against Denial

Distributed Detection of APTs: Consensus vs. Clustering . . . . . . . . . . . . . . . 174

Designing Reverse Firewalls for the Real World . . . . . . . . . . . . . . . . . . . . . 193

Dynamic and Secure Memory Transformation in Userspace . . . . . . . . . . . . . 237

Understanding the Security Risks of Docker Hub . . . . . . . . . . . . . . . . . . . . 257

DE-auth of the Blue! Transparent De-authentication Using Bluetooth

Similarity of Binaries Across Optimization Levels and Obfuscation . . . . . . . . 295

HART: Hardware-Assisted Kernel Module Tracing on Arm . . . . . . . . . . . . . 316

Zipper Stack: Shadow Stacks Without Shadow . . . . . . . . . . . . . . . . . . . . . . 338

Restructured Cloning Vulnerability Detection Based on Function Semantic

LegIoT: Ledgered Trust Management Platform for IoT . . . . . . . . . . . . . . . . 377

Machine Learning Security

PrivColl: Practical Privacy-Preserving Collaborative Machine Learning . . . . . 399

An Efficient 3-Party Framework for Privacy-Preserving Neural

Deep Learning Side-Channel Analysis on Large-Scale Traces . . . . . . . . . . . . 440

Towards Poisoning the Neural Collaborative Filtering-Based

Data Poisoning Attacks Against Federated Learning Systems . . . . . . . . . . . . 480

Interpretable Probabilistic Password Strength Meters via Deep Learning. . . . . 502

Polisma - A Framework for Learning Attribute-Based Access

A Framework for Evaluating Client Privacy Leakages

An Accountable Access Control Scheme for Hierarchical Content in Named

PGC: Decentralized Confidential Payment System with Auditability . . . . . . . 591

Secure Cloud Auditing with Efficient Ownership Transfer . . . . . . . . . . . . . . 611

Encrypt-to-Self: Securely Outsourcing Storage . . . . . . . . . . . . . . . . . . . . . . 635

PGLP: Customizable and Rigorous Location Privacy Through