Reihaneh Safavi-NainiThe University of Calgary · Department of Computer Science
Reihaneh Safavi-Naini
PhD
About
534
Publications
57,656
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
8,835
Citations
Introduction
Skills and Expertise
Publications
Publications (534)
In the Internet of Things (IoT), there are often devices that are computationally too constrained to establish a security key using traditional key distribution mechanisms such as those based on the Diffie-Hellman key exchange. To address this, current solution commonly rely on key predistribution schemes (KPSs). Among KPSs, the Blom scheme provabl...
A mutual private set intersection protocol (PSI) allows two parties to find the intersection of their private sets without leaking any other information. A mutual PSI protocol achieves complete fairness if a malicious party cannot disadvantage the honest party by using an early abort of the protocol. It has been proved that it is impossible to achi...
Outsourcing computation enables a weak client to expand its computational power as the need arises. A basic requirement of outsourcing computation is the guarantee that the computation result is correct. Cryptographic solutions that provide verifiability for the computation result when the computation is outsourced to a single server, are complex a...
Cheating detectable secret sharing schemes (CDSS) detects changes in the secret that is caused by an adversary who modifies shares of an unauthorized subset of participants. We consider leakage resilient cheating detectable secret sharing schemes (LRCDSS) where protection is against an adversary who, in addition to the shares of an unauthorized set...
Verifiable computation allows a resource-constrained client to outsource their computation to powerful servers, and efficiently verify their received results. Cryptographic verifiable computation systems, despite their elegant designs, have limited application in practice because of the computational cost and difficulty of correct and flexible impl...
A proof-of-location (
pol
) is a digital credential issued to a user after proving their location to an issuer. The user can use the
pol
at a later time to prove to a verifier that they have been present at a claimed location. A secure Proof-of-Location (POL) system requires that
pols
be unforgeable and non-transferable to other users. POL sys...
Controlled sharing is fundamental to distributed systems. We consider a capability-based distributed authorization system where a client receives capabilities (access tokens) from an authorization server to access the resources of resource servers. Capability-based authorization systems have been widely used on the Web, in mobile applications and o...
Policy-based signatures (PBS) were proposed by Bellare and Fuchsbauer (PKC 2014) to allow an authorized member of an organization to sign a message on behalf of the organization. The user’s authorization is determined by a policy managed by the organization’s trusted authority, while the signature preserves the privacy of the organization’s policy....
Outsourcing computation allows a resource limited client to expand its computational capabilities by outsourcing computation to other computing nodes or clouds. A basic requirement of outsourcing is providing assurance that the computation result is correct. We consider a smart contract based outsourcing system that achieves assurance by replicatin...
Fair exchange protocols are among the most important cryptographic primitives in electronic commerce. A basic fair exchange protocol requires that two parties who want to exchange their digital items either receive what they have been promised, or lose nothing. Privacy of fair exchange requires that no one else (other than the two parties) learns a...
A Proof-of-Location (POL) system is used to issue a proof-of-location token ( pol ) to a user who has been present at a location loc , such that it can be later presented to a verifier to assure the presence of the user at loc . Basic POL security requirements are unforgeability of pol , and its non-transferability (a pol issued to user u<sub>1</su...
A secret sharing scheme generates shares of a secret that will be distributed among a set of participants such that the shares of qualified subsets of participants can reconstruct the secret, and shares of non-qualified subsets leak no information about the secret. Secret sharing is a fundamental cryptographic primitive in multiparty computation, t...
In a resource sharing system users offer goods and services with specified conditions that if met, the access will be granted. Traditional resource sharing systems use a trusted intermediary that mediates users’ interactions. Our work is motivated by a decentralized resource sharing platform (proposed in WTSC’20) that uses a permissioned blockchain...
Digital signature schemes form the basis of trust in Internet communication. Shor (FOCS 1994) proposed quantum algorithms that can be used by a quantum computer to break the security of today’s widely used digital signature schemes, and this has fuelled intensive research on the design and implementation of post-quantum digital signatures. Hash-bas...
A password protected secret sharing (PPSS) allows a user to store shares of a secret on a set of L servers, and use a single password to authenticate itself to any subset of k servers at a later time to access the shares and reconstruct the secret. Security of PPSS ensures that a coalition of up to k-1 servers cannot reveal any information about th...
Group encryption (GE), introduced by Kiayias, Tsiounis and Yung (Asiacrypt’07), is the encryption analogue of group signatures. It allows to send verifiably encrypted messages satisfying certain requirements to certified members of a group, while keeping the anonymity of the receivers. Similar to the tracing mechanism in group signatures, the recei...
A Behavioral Authentication (BA) system constructs a behavioral profile for a user and uses it to verify their identity claims. It is primarily used as a second factor in user authentication. A BA system starts with an initial database of user profiles, and uses a verification algorithm to accept or reject a verification request, that consists of a...
A hybrid encryption scheme is a public key encryption system that consists of a public-key part called the key encapsulation mechanism (KEM), and a (symmetric) secret-key part called data encapsulation mechanism (DEM): the public-key part is used to generate a shared secret key between the two parties, and the symmetric key part is used to encrypt...
A fuzzy vault encrypts a message using fuzzy data such as user’s biometric data as the vault key. Fuzzy vault can be used to protect users’ cryptographic keys in smart cards and inside applications. We consider fuzzy vault based on behavioral data. A behavioral profile of a user consists of a set of features that collectively authenticates the user...
Sharing resources is a growing trend in today’s world. Sharing allows larger groups of individuals to benefit from available resources, hence optimizing the resource consumption. Sharing however demands a level of trust and control on the outcome: one needs to have confidence that a shared item will be used according to a prior agreement. In this p...
Information theoretic secret key agreement is impossible without making initial assumptions. One type of initial assumption is correlated random variables that are generated by using a noisy channel that connects the terminals. Terminals use the correlated random variables and communication over a reliable public channel to arrive at a shared secre...
Outsourcing computation has gained significant popularity in recent years due to the development of cloud computing and mobile services. In a basic outsourcing model, a client delegates computation of a function f on an input {\mathbf{x}} to a server. There are two main security requirements in this setting: guaranteeing the server performs the com...
Policy-based signatures (PBS) were proposed by Bellare and Fuchsbauer (PKC 2014) to allow an {\em authorized} member of an organization to sign a message on behalf of the organization. The user's authorization is determined by a policy managed by the organization's trusted authority, while the signature preserves the privacy of the organization's p...
Logging systems are an essential component of security systems and their security has been widely studied. Recently (2017) it was shown that existing secure logging protocols are vulnerable to crash attack in which the adversary modifies the log file and then crashes the system to make it indistinguishable from a normal system crash. The attacker w...
Sharing resources is a growing trend in today's world. Sharing allows larger groups of individuals to benefit from available resources, hence optimizing the resource consumption. Sharing however demands a level of trust and control on the outcome: one needs to have confidence that a shared item will be used according to a prior agreement. In this p...
Outsourcing computation has gained significant attention in recent years in particular due to the prevalence of cloud computing. There are two main security concerns in outsourcing computation: guaranteeing that the server performs the computation correctly, and protecting the privacy of the client’s data. The verifiable computation of Gennaro, Gen...
Outsourcing computation allows a weak client to outsource its computation to a powerful server and receive the result of the computation. Verifiable outsourcing enables clients to verify the computation result of untrusted servers. Permissionless distributed outsourcing systems provide an attractive marketplace for users to participate in the syste...
Outsourcing computation has been widely used to allow weak clients to access computational resources of a cloud. A natural security requirement for the client is to be able to efficiently verify the received computation result. An attractive approach to verifying a general computation is to send the computation to multiple clouds, and use carefully...
Logging systems are an essential component of security systems and their security has been widely studied. Recently (2017) it was shown that existing secure logging protocols are vulnerable to crash attack in which the adversary modifies the log file and then crashes the system to make it indistinguishable from a normal system crash. The attacker w...
Non-malleable codes protect against an adversary who can tamper with the coded message by using a tampering function in a specified function family, guaranteeing that the tampering result will only depend on the chosen function and not the coded message. The codes have been motivated for providing protection against tampering with hardware that sto...
With the rapid development of quantum technologies, quantum-safe cryptography has found significant attention. Hash-based signature schemes have been in particular of interest because of (i) the importance of digital signature as the main source of trust on the Internet, (ii) the fact that the security of these signatures relies on existence of one...
Non-malleable codes were proposed in tamper resilient cryptology with the goal of preventing an adversary from tampering with the protected message in a message-specific way. Adversarial noise in coding theory is usually modelled as an Arbitrary Varying Channel (AVC), where reliable transmission has been the prime concern of study and hence restric...
Information-theoretic secure key agreement protocols do not use computational assumptions and will stay secure with future advances in computing technologies. We consider a setting where Alice and Bob have access to correlated variables, and use a public channel to interact and obtain a shared secret key. Efficiency of protocols in this setting is...
Secret key agreement (SKA) is an essential primitive in cryptography and information security. In a multiterminal key agreement problem, there are a set of terminals each having access to a component of vector random variable. The goal of the terminals is to establish a shared key among a designated subset of terminals. This problem has been studie...
Non-malleable secret sharing was recently studied by Goyal and Kumar in independent tampering and joint tampering models for threshold scheme (STOC18) and secret sharing with general access structure (CRYPTO18). We study non-malleable secret sharing in a natural adaptive tampering model, where the share vector is tampered using a function, in a giv...
Integrated broadcast-broadband services allow viewers to simultaneously receive broadcast content over the airwaves and additional information related to the content over the Internet. This integration provides opportunities for new services to be tailored and offered to individual viewers. Viewing histories provide a rich variety of data for servi...
BIP70 is the Bitcoin payment protocol for communication between a merchant and a pseudonymous customer. McCorry et al. (FC 2016) showed that BIP70 is prone to refund attacks and proposed a fix that requires the customer to sign their refund request. They argued that this minimal change will provide resistance against refund attacks. In this paper,...
Post-quantum secure communication has attracted much interest in recent years. Known computationally secure post-quantum key agreement protocols are resource intensive for small devices. These devices may need to securely send frequent short messages, for example to report the measurement of a sensor. Secure communication using physical assumptions...
This panel will explore how security topics are integrated into academic programs and future directions for improvements. It will address how early in time security should be introduced in programs like computer science and software engineering; and identify the critical takeaways that each graduating student should learn. We will try to separate o...
Today's Smart Home platforms such as Samsung SmartThings and Amazon AWS IoT are primarily cloud based: devices in the home sense the environment and send the collected data, directly or through a hub, to the cloud. Cloud runs various applications and analytics on the collected data, and generates commands according to the users' specifications that...
Secret sharing is a fundamental cryptographic primitive. One of the main goals of secret sharing is to share a long secret using small shares. In this paper we consider a family of statistical secret sharing schemes indexed by $N$, the number of players. The family is associated with a pair of relative thresholds \tau and \kappa, that for a given N...
BIP70 is the Bitcoin payment protocol for communication between a merchant and a pseudonymous customer. McCorry et al. (FC~2016) showed that BIP70 is prone to refund attacks and proposed a fix that requires the customer to sign their refund request. They argued that this minimal change will provide resistance against refund attacks. In this paper,...
Anonymous Distance-Bounding (DB) protocols allow a prover to convince a verifier that they are within a distance bound from the verifier, without revealing their identity. This is an attractive property that enables the prover to enjoy proximity based services while preserving their privacy. Combination of anonymity and distance-bounding however in...
Location information has wide applications in customization and personalization of services, as well as secure authentication and access control. We introduce in-Region Authentication (inRA), a novel type of authentication, that allows a prover to prove to a set of cooperating verifiers that they are in possession of the correct secret key, and are...
Distance bounding (DB) protocols allow a prover to convince a verifier that they are within a distance bound. A public key distance bounding relies on the public key of the users to prove their identity and proximity claim. There has been a number of approaches in the literature to formalize security of public key distance bounding protocols. In th...
Permissions are highly sensitive in Internet-of-Things (IoT) applications, as IoT devices collect our personal data and control the safety of our environment. Rather than simply granting permissions, further constraints shall be imposed on permission usage so as to realize the Principle of Least Privilege. Since IoT devices are physically embedded,...
Moving target defense (MTD) strategies have been widely studied for securing computer systems. We consider using MTD strategies to provide long-term cryptographic security for message transmission against an eavesdropping adversary who has access to a quantum computer. In such a setting, today’s widely used cryptographic systems including Diffie-He...
Weproposea modular construction of a semantically secure wiretap code that achieves secrecy capacity for a large class of wiretap channels. Security of the construction is proved by interpreting the construction as an instance of an invertible extractor, and use the framework in Bellare et al. [1] to complete the proof. The construction has computa...
Permissions are highly sensitive in Internet-of-Things (IoT) applications, as IoT devices collect our personal data and control the safety of our environment. Rather than simply granting permissions, further constraints shall be imposed on permission usage so as to realize the Principle of Least Privilege. Since IoT devices are physically embedded,...
In this work, we address the question of whether the authorship of a single tweet can be successfully identified (and in a mixed set with other authors). Here, we present a new authorship identification scheme, which is useful in detecting authorship of short texts such as tweets, in case where only single messages are available. Our authorship ide...
BIP70 is the Bitcoin payment protocol for communication between a merchant and a pseudonymous customer. McCorry et al. (FC 2016) showed that BIP70 is prone to refund attacks and proposed a fix that requires the customer to sign their refund request. They argued that this minimal change will provide resistance against refund attacks. In this paper,...
Cryptographic authentication protects messages against forgeries. In real life, messages carry information of different value and the gain of the adversary in a successful forgery and the corresponding cost of the system designers, depend on the “meaning” of the message. This is easy o see by comparing the successful forgery of a $1,000 transaction...
In the Wyner wiretap channel a sender is connected to a receiver and an eavesdropper through two noisy channels. It has been shown that if the noise in the eavesdropper channel is higher than the receiver’s channel, information theoretically secure communication from Alice to Bob, without requiring a shared key, is possible. The approach is particu...
In integrated broadcast-broadband services, viewers receive content via the airwaves as well as additional content via the Internet. The additional content can be personalized by using the viewing histories of each viewer. Viewing histories however contain private data that must be handled with care. A verifiable attribute-based keyword search (VAB...
Smart homes include hundreds of devices that generate messages, and communicate with each other and the world outside the home, to provide a highly functional, optimized and personalized environment for residents. A secure and reliable event logging system is an essential component of smart homes with a wide range of applications such as fault dete...
Moving target defense (MTD) strategies have been widely studied for securing computer communication systems. We consider using MTD strategies as a cryptographic mechanism for providing secure communication when the adversary has access to a quantum computer and security is required over a long period of time. We assume Alice and Bob are connected b...
Non-malleable codes are randomized codes that protect coded messages against modification by functions in a tampering function class. These codes are motivated by providing tamper resilience in applications where a cryptographic secret is stored in a tamperable storage device and the protection goal is to ensure that the adversary cannot benefit fr...
In a profile-based authentication system, a user profile is stored at the verifier and later used to verify their authentication claim. A profile includes user-specific information that is privacy sensitive. In this paper we propose a non-cryptographic approach to providing privacy for user profile data in profile-based authentication systems, usin...
Data compression is ubiquitous to any information and communication system. It often reduces resources required to store and transmit data. However, the efficiency of compression algorithms also makes them an obvious target for hackers to mount denial-of-service attacks. In this work, we consider decompression quines, a specific class of compressed...
Tamper resilient cryptography has recently gained attention, and novel coding solutions have been proposed. One such solutions is Tamper Detection (TD) codes that are used to detect tampering with a codeword when the tampering function belongs to a specified family of functions. We consider TD codes when the class of functions consists of functions...
Active behavioural-based authentication systems are challenge-response based implicit authentication systems that authenticate users using the behavioural features of the users when responding to challenges that are sent from the server. They provide a flexible (no extra hardware) and secure second factor for authentication systems, with applicatio...
We propose a privacy enhanced location verification system that uses in-region location verification to verify if a location claim is from within an area specified by a policy. The novelty of our work is the use of distance bounding protocols to construct a pseudo-rectangle (P-rectangle) that optimizes coverage of the policy area, and uses it to ve...
Algebraic Manipulation Detection (AMD) Codes detect adversarial noise that is added to a coded message which is stored in a storage that is opaque to the adversary. We study AMD codes when the storage can leak up to \(\rho \log |{\mathcal {G}}|\) bits of information about the stored codeword, where \({\mathcal {G}}\) is the group that contains the...
We consider a scenario where a sequence of messages must be protected and the security requirement is that, the most recent message has high level of security while past messages could be secured at a lower level. We assume the adversary is an eavesdropping adversary and has unlimited computational power. The motivation for this problem is situatio...
Algebraic Manipulation Detection (AMD) Codes detect adversarial noise that is added to a coded message and stored in a storage that is opaque to the adversary. We study AMD codes when the storage can leak up to \rho\log|G| bits of information about the stored codeword, where G is the group in which the stored codeword lives and \rho is a constant....
Modern social computing platforms (e.g., Facebook) are extensible. Third-party developers deploy extensions (e.g., Facebook applications) that augment the functionalities of the underlying platforms. Previous work demonstrated that permission-based protection mechanisms, adopted to control access to users' personal information, fail to control infe...
Key agreement is a fundamental cryptographic primitive. It has been proved that key agreement protocols with security against computationally unbounded adversaries cannot exist in a setting where Alice and Bob do not have dependent variables and communication between them is fully public, or fully controlled by the adversary. In this paper we consi...
One-time signature (OTS) schemes are important cryptographic primitives that can be constructed using one-way functions, and provide post-quantum security. They have found diverse applications including forward security and broadcast authentication. OTS schemes are time-efficient, but their space complexity is high: the sizes of signatures and keys...
We consider performance of Linux Random Number Generator(RNG) in virtualized environments and ask, (i) if the emulated hardware can provide sufficient entropy sources for the RNG and, (ii) if the RNG output of the host and the guest are isolated. These are important questions because insufficient entropy results in {\em entropy starvation}, and the...