Feng Hao

The University of Warwick · Department of Computer Science

This article discusses secure methods to conduct e-voting over a blockchain in three different settings: decentralized voting, centralized remote voting, and centralized polling station voting. These settings cover almost all voting scenarios that occur in practice. A proof-of-concept implementation for decentralized voting over Ethereum’s blockcha...

A novel strong physical unclonable function (PUF), called Probability-based PUF (Prob-PUF), is proposed using the stochastic process of trap emission in nano-scaled transistors. For the first time, the information of trap emission probability is used in the PUF design. This new approach offers ideal immunity to machine learning (ML) attacks. Since...

The Payment Protocol standard BIP70, specifying how payments in Bitcoin are performed by merchants and customers, is supported by the largest payment processors and most widely-used wallets. The protocol has been shown to be vulnerable to refund attacks due to lack of authentication of the refund addresses. In this paper, we give the first formal m...

Polymer banknotes are the trend for printed currency and have been adopted by more than fifty countries worldwide. However, over the past years, the quantity and the quality of polymer counterfeits have been increasing. This shows that the initial advantage of bringing a new polymer technology to fight against counterfeiting is reducing. To maintai...

The Payment Protocol standard BIP70, specifying how payments in Bitcoin are performed by merchants and customers, is supported by the largest payment processors and most widely-used wallets. The protocol has been shown to be vulnerable to refund attacks due to lack of authentication of the refund addresses. In this paper, we give the first formal m...

Polymer banknotes are the trend for printed currency and have been adopted by more than fifty countries worldwide. However, over the past years, the quantity of polymer counterfeits has been increasing, so has the quality of counterfeits. This shows that the initial advantage of bringing a new polymer technology to fight against counterfeiting is r...

Collaboration is a keystone of defense in the field of cybersecurity. A collaborative detection system allows multiple collaborators or service providers to share their security-incident-response data, in order to effectively identify and isolate stealthy malicious actors who hide their traffic under the umbrella of legitimate Internet data transmi...

On 2 May 2019, during the UK local elections, an e-voting trial was conducted in Gateshead, using a touch-screen end-to-end verifiable e-voting system. This was the first trial of verifiable e-voting for polling station voting in the UK, and it presented a case study to envisage the future of e-voting.

In this article, we propose the first self-tallying decentralized e-voting protocol for a ranked-choice voting system based on Borda count. Our protocol does not need any trusted setup or tallying authority to compute the tally. The voters interact through a publicly accessible bulletin board for executing the protocol in a way that is publicly ver...

The Internet of Things, or IoT, is the network of connected computing devices that have the ability to transfer valued data between each other via the Internet without requiring human intervention. In such a connected environment, the Social Internet of Things (SIoT) has become an emerging trend where multiple IoT devices owned by users support com...

In this paper, we address an unsolved problem in the real world: how to ensure the integrity of the web content in a browser in the presence of malicious browser extensions? The problem of exposing confidential user credentials to malicious extensions has been widely understood, which has prompted major banks to deploy two-factor authentication. Ho...

We propose the first auctioneer-free sealed-bid auction protocol with a linear computation and communication complexity O(c), c being the bit length of the bid price. Our protocol, called Self-Enforcing Auction Lot (SEAL), operates in a decentralized setting, where bidders jointly compute the maximum bid while preserving the privacy of losing bids....

The 5th conference on Security Standardisation Research (SSR'19) is in London, UK, on 11 November 2019, co-located with the ACM Conference on Computer and Communications Security 2019 (CCS'19). This conference aims to provide a preferred venue for the discussion of all topics related to security standardisation, covering both theory and practice. T...

The Internet of Things (IoT) or the Cyber-Physical System (CPS) is the network of connected devices, things and people which collect and exchange information using the emerging telecommunication networks (4G, 5G IP-based LTE). These emerging telecommunication networks can also be used to transfer critical information between the source and destinat...

An end-to-end verifiable (E2E) voting system enables candidates, voters and observers to monitor the integrity of an election process and verify the results without relying on trusted systems. In this paper, we propose a DRE-based Borda count e-voting system called DRE-Borda. The proposed system is E2E verifiable without involving any tallying auth...

In 2006, Hao and Zieliński presented a two‐round veto protocol named anonymous veto network (AV‐net), which is exceptionally efficient in terms of the number of rounds, computation and bandwidth usage. However, AV‐net has two generic issues: (i) a participant who has submitted a veto can find out whether she is the only one who vetoed; (ii) the las...

In this paper, we address an unsolved problem in the real world: how to ensure the integrity of the web content in a browser in the presence of malicious browser extensions? The problem of exposing confidential user credentials to malicious extensions has been widely understood, which has prompted major banks to deploy two-factor authentication. Ho...

The emerging use of modern technologies has not only benefited society but also attracted fraudsters and criminals to misuse the technology for financial benefits. Fraud over the Internet has increased dramatically, resulting in an annual loss of billions of dollars to customers and service providers worldwide. Much of such fraud directly impacts i...

Threshold password-authenticated secret sharing (TPASS) protocols allow a client to distribute a secret s amongst n servers and protect it with a password pw, so that the client can later recover the secret s from any subset of t of the servers using the password pw. In this paper, we present two efficient TPASS protocols, one is built on two-phase...

Cryptocurrency mining in the browser has the potential to provide a new pay-as-you-go monetisation mechanism for consuming digital media over the Web. However, browser mining has recently received strong criticism due to illegitimate use of mining scripts in several popular websites (a practice called cryptojacking). Here we provide the first feasi...

The Internet of Vehicles (IoV) is the network of connected vehicles and transport infrastructure units (Roadside Units (RSU)), which utilizes emerging wireless systems (4G, 5G, LTE) for the communication and sharing of information. The network of connected vehicles enables users to disseminate critical information about events happening on the road...

Botnets are the preeminent source of online crime and arguably one of the greatest threats to the Internet infrastructure. In this paper, we present ZombieCoin, a botnet command-and-control (C&C) mechanism that leverages the Bitcoin network. ZombieCoin offers considerable advantages over existing C&C techniques, most notably the fact that Bitcoin i...

In the age of IoT (Internet of Things), Machine-to-Machine (M2M) communication has gained significant popularityover the last few years. M2M communication systems may have a large number of autonomous connected devices thatprovide services without human involvement. Interacting with compromised, infected and malicious machines can bringdamaging con...

In the first part of this paper, we propose PINlogger.js which is a JavaScript-based side channel attack revealing user PINs on an Android mobile phone. In this attack, once the user visits a website controlled by an attacker, the JavaScript code embedded in the web page starts listening to the motion and orientation sensor streams without needing...

In online marketplaces (e-commerce, cloud marketplaces), potential buyers/consumers do not have direct access to inspect the quality of products and services offered by service providers or retailers of the marketplace. Therefore, consumers have to trust the reputation system of the online marketplace for deciding whether or not to interact with th...

Reputation systems enable consumers to evaluate the trustworthiness of business entities (retailers, sellers) over the marketplace. In electronic marketplaces, the reputation of an business entity (retailer, seller) is computed by aggregating the “trust-scores” assigned to her by the parties who have had transactions with her. Most reputation syste...

Simple Password Exponential Key Exchange (SPEKE) is a well-known Password Authenticated Key Exchange (PAKE) protocol that has been used in Blackberry phones for secure messaging and Entrust's TruePass end-to-end web products. It has also been included into international standards such as ISO/IEC 11770-4 and IEEE P1363.2. In this paper, we analyse t...

Nuisance or unsolicited calls and instant messages come at any time in a variety of different ways. These calls would not only exasperate recipients with the unwanted ringing, impacting their productivity, but also lead to a direct financial loss to users and service providers. Telecommunication Service Providers (TSPs) often employ standalone dete...

Browser extensions have been established as a common feature present in modern browsers. However, some extension systems risk exposing APIs which are too permissive and cohesive with the browser's internal structure, thus leaving a hole for malicious developers to exploit security critical functionality within the browser itself. In this paper, we...

The Internet of Things (IoT) is the integration of a large number of autonomous heterogeneous devices that report information from the physical environment to the monitoring system for analytics and meaningful decisions. The compromised machines in the IoT network may not only be used for spreading unwanted content such as spam, malware, viruses et...

BIP70 is a community-accepted Payment Protocol standard that governs how merchants and customers perform payments in Bitcoin. This standard is supported by most major wallets and the two dominant Payment Processors: Coinbase and BitPay, who collectively provide the infrastructure for accepting Bitcoin as a form of payment to more than 100,000 merch...

Classroom voting is an important pedagogical technique in which students learn by voting on the answers to questions. The same voting platform is also often used for exercises such as rating lecturer performance and voting for prizes. In this paper, we present VCV, an end-to-end (E2E) verifiable classroom voting system built based on the DRE-i prot...

In this paper, we propose a novel paper fingerprinting technique based on analyzing the translucent patterns revealed when a light source shines through the paper. These patterns represent the inherent texture of paper, formed by the random interleaving of wooden particles during the manufacturing process. We show these patterns can be easily captu...

In a contactless transaction, when more than one card is presented to the payment terminal’s field, the terminal does not know which card to choose to proceed with the transaction. This situation is called card collision. EMV (which is the primary standard for smart card payments) specifies that the reader should not proceed when it detects a card...

In a two-server password-authenticated key exchange (PAKE) protocol, a client splits its password and stores two shares of its password in the two servers, respectively, and the two servers then cooperate to authenticate the client without knowing the password of the client. In case one server is compromised by an adversary, the password of the cli...

Nearly all verifiable e-voting schemes require trustworthy authorities to perform the tallying operations. An exception is the DRE-i system which removes this requirement by pre-computing all encrypted ballots before the election using random factors that will later cancel out and allow the public to verify the tally after the election. While the r...

Bitcoin as deployed today does not scale. Scalability research has focused on two directions: (1) redesigning the Blockchain protocol, and (2) facilitating ‘off-chain transactions’ and only consulting the Blockchain if an adjudicator is required. In this paper we focus on the latter and provide an overview of Bitcoin payment networks. These consist...

Conforming to W3C specifications, mobile web browsers allow JavaScript code in a web page to access motion and orientation sensor data without the user's permission. The associated risks to user security and privacy are however not considered in W3C specifications. In this work, for the first time, we show how user security can be compromised using...

Mobile NFC payment is an emerging industry, estimated to reach $670 billion by 2015. The Mafia attack presents a realistic threat to payment systems including mobile NFC payment. In this attack, a user consciously initiates an NFC payment against a legitimate-looking NFC reader (controlled by the Mafia), not knowing that the reader actually relays...

Bitcoin is designed to protect user anonymity (or pseudo nymity) in a financial transaction, and has been increasingly adopted by major e-commerce websites such as Dell, PayPal and Expedia. While the anonymity of Bitcoin transactions has been extensively studied, little attention has been paid to the security of post-transaction correspondence. In...

Threshold password-authenticated secret sharing (TPASS) protocols allow a client to secret-share a secret s among n servers and protect it with a password \(\mathsf {pw}\), so that the client can later recover s from any subset of t of the servers using the password \(\mathsf {pw}\), but so that no coalition smaller than t learns anything about s o...

Existing software-based data erasure programs can be summarized as following the same one-bit-return protocol: the deletion program performs data erasure and returns either success or failure. However, such a onebit- return protocol turns the data deletion system into a black box - the user has to trust the outcome but cannot easily verify it. This...

Conforming to the recent W3C specifications (www.w3.org/TR/orientation-event), modern mobile web browsers generally allow JavaScript code in a web page to access motion and orientation sensor data without the user's permission. The associated risks to user privacy are however not considered in W3C specifications. In this work, for the first time, w...

In this paper, we study Password Authenticated Key Exchange (PAKE) in a group. First, we present a generic "fairy-ring dance" construction that transforms any secure two-party PAKE scheme to a group PAKE protocol while preserving the round efficiency in the optimal way. Based on this generic construction, we present two concrete instantiations base...

Botnets are the preeminent source of online crime and arguably the greatest threat to the Internet infrastructure. In this paper, we present ZombieCoin, a botnet command-and-control (C&C) mechanism that runs on the Bitcoin network. ZombieCoin offers considerable advantages over existing C&C techniques, most notably the fact that Bitcoin is designed...

In this paper, we study Password Authenticated Key Exchange (PAKE) in a group. First, we present a generic " fairy-ring dance " construction that transforms any secure two-party PAKE scheme to a group PAKE protocol while preserving the round efficiency in the optimal way. Based on this generic construction, we present two concrete instantiations ba...

The SPEKE protocol is commonly considered one of the classic Password Authenticated Key Exchange (PAKE) schemes. It has been included in international standards (particularly, ISO/IEC 11770-4 and IEEE 1363.2) and deployed in commercial products (e.g., Blackberry). We observe that the original SPEKE specification is subtly different from those defin...

Dragonfly is a password authenticated key exchange protocol that has been submitted to the Internet engineering task force as a candidate standard for general internet use. The authors analysed the security of this protocol and devised an attack that is capable of extracting both the session key and password from an honest party. This attack was th...

In two-server password-authenticated key exchange (PAKE) protocol, a client splits its password and stores two shares of its password in the two servers, respectively, and the two servers then cooperate to authenticate the client without knowing the password of the client. In case one server is compromised by an adversary, the password of the clien...

Private browsing has been a popular privacy feature built into all mainstream browsers since 2005. However, despite its prevalent use, the security of this feature has received little attention from the research community. In this paper, we present an up-to-date and comprehensive analysis of private browsing across four most popular web browsers: I...

This paper presents a new End-to-End (E2E) verifiable e-voting protocol for large-scale elections, called Direct Recording Electronic with Integrity (DRE-i). In contrast to all other E2E verifiable voting schemes, ours does not involve any Tallying Authorities (TAs). The design of DRE-i is based on the hypothesis that existing E2E voting protocols’...

If two parties wish to safely communicate over an insecure channel, one method they may use is to first run an authenticated key exchange protocol over this channel so as to jointly and secretly construct a cryptographically strong session key that can serve to subsequently secure further bulk communication. This chapter is an introduction to the d...

If two parties wish to safely communicate over an insecure channel, one method they may use is to first run an authenticated key exchange protocol over this channel so as to jointly and secretly construct a cryptographically strong session key that can serve to subsequently secure further bulk communication. This chapter is an introduction to the d...

In this paper, we propose – and have implemented – the first verifiable classroom voting system. The subject of secure classroom voting has so far received almost no attention from the security community. Though several commercial classroom voting systems have been available, none of them is verifiable. State-of-the-art verifiable voting protocols...

Hi, good afternoon everyone. We have come to the last talk. I know many of you are probably desperate for a pint in the pub, so I will make your life easy and keep the talk short. This talk is about “verifiable classroom voting”. If you look for the literature on this subject, you will probably find none. The reason should become clear later in the...

This paper shows several security weaknesses of a Multi-Factor Authenticated Key Exchange (MK-AKE) protocol, proposed by Pointcheval and Zimmer at ACNS'08. The Pointcheval-Zimmer scheme was designed to combine three authentication factors in one system, including a password, a secure token (that stores a private key) and biometrics. In a formal mod...

Verifiable electronic voting has been extensively researched for over twenty years, but few protocols have achieved real-life deployment. A key impediment, we argue, is caused by the existing protocols' universal reliance on the probity of the tallying authorities. This might seem surprising to many people as dependence on tallying authorities has...

Good morning everyone. In the past six months I have been doing some preliminary investigation on what the future e-voting will look like. We have made some progress and I would like to share with you our findings, and also highlight some open problems. I would appreciate your comments and critics. For this presentation I have prepared an election....

Official trials were conducted of a number of e-voting systems in the UK in 2002/3 and 2007 during local government elections, yet none of these test systems were subsequently used in any further elections, and all trials were suspended in 2008. We describe these trials, concentrating on the second more extensive 2007 trial, and how their results w...

Hao, Ryan & Zieliski (2010) propose a two-round decentralized voting protocol that is efficient in terms of rounds, computation, and bandwidth. However, the protocol has two drawbacks. First, if some voters abort then the election result cannot be announced, that is, the protocol is not robust. Secondly, the last voter can learn the election result...

This talk is about How to Sync with Alice. It is joint work with Peter Ryan. Life used to be simple; you have only one desktop computer. Then you have laptop, which is more convenient, and is becoming inexpensive. In the past five years you’ve seen the rise of smartphones, and tablets. So the computer has been evolving. It used to be bulky, and fix...

This paper explains the sync problem and compares solutions in Firefox 4 and Chrome 10. The sync problem studies how to securely synchronize data across different computers. Google has added a built-in sync function in Chrome 10, which uses a user-defined password to encrypt bookmarks, history, cached passwords etc. However, due to the low-entropy...

Password Authenticated Key Exchange (PAKE) is one of the important topics in cryp- tography. It aims to address a practical security problem: how to establish secure communication between two parties solely based on a shared password without requiring a Public Key Infrastruc- ture (PKI). After more than a decade of extensive research in this fleld,...

In 2006, Hao and Zieliński proposed a two-round anonymous veto protocol (called AV-net), which provided exceptional efficiency compared to related techniques. In this study, the authors add a self-tallying function to the AV-net, making it a general-purpose voting protocol. The new protocol works in the same setting as the AV-net ́ it requires no t...

The small subgroup confinement attack works by confining cryptographic operations within a small subgroup, in which exhaustive search is feasible. This attack is overt and hence can be easily thwarted by adding a public key validation: verifying the received group element has proper order. In this paper, we present a different aspect of the small s...

We describe two new attacks on the HMQV protocol. The first attack raises a serious question on the basic definition of “authentication” in HMQV, while the second attack is generally applicable to many other protocols. In addition, we present a new authenticated key agreement protocol called YAK. Our approach is to depend on well-established techni...