Zero-knowledge proofs of knowledge are stateless. To improve efficiency, in some settings it is desirable that the prover could reuse proofs that were already sent to the verifier in order to prove a new statement. Consider an access control system that protects two types of resources. To access type 1 resources, a user must prove in zero-knowledge that she possesses a credential signed by a trusted issuer that certifies her age. To access type 2 resources, the user must also prove that her age is greater than 16. If a user already has proven fulfillment of the policy for type 1 resources, it is desirable that the user can gain access to type 2 resources without needing to reprove possession of a credential on her age. It is easy to solve the problem described in this example using commitments. Namely, a zero-knowledge proof for type 1 resources can output a commitment to the user age, which can be used in a proof for type 2 resources to prove that the committed value is greater than 16. However, the problem becomes more difficult when it is required to hide from the verifier what value or values kept in the state are reused to compute new proofs. Therefore, in order to study the problem of how to store and use state information kept between a prover and a verifier, we define an ideal functionality for stateful zero-knowledge. Our functionality allows the prover to prove in zero-knowledge that a value is written into a state table, or that it is read from the state table. We describe a construction based on vector commitments.
Our stateful zero-knowledge protocol can be used to store the state of zero-knowledge protocols for many different relations. To describe a hybrid protocol in the UC model that employs the stateful zero-knowledge functionality along with the zero-knowledge functionalities for those relations, one must ensure that the values read or written from the state equal those employed in the zero-knowledge functionality. In our example, one must ensure that the age value input to the stateful zero-knowledge functionality equals the age value input to the zero-knowledge functionality to prove credential possession. To ensure equality, one can input and verify a commitment to the age in both functionalities. The binding property of the commitment guarantees equality between the committed values. However, existing ideal functionalities for commitments do not allow for such a construction, which prevents us from describing a hybrid protocol. We describe how to solve this problem by proposing a new functionality for commitments. Finally, we conclude by discussing further directions and applications of stateful zero-knowledge.
The information security is described as a multidisciplinary area, which includes both technical and behavioral approaches to protection of information confidentiality, integrity and accessibility. Despite the fact that some research in the field of information security has considered socio-psychological concerns, it is still primarily focused on technical issues concerning the design and implementation of technical security systems, but according to IBM's 2014 CyberSecurity Intelligence Index 95 percent of all security incidents involve human error. Usually the human factor in information security is discussed in the context of successful social engineering attacks: attackers who aim to find some private information exploit human vulnerabilities, personal characteristics and behavior. But there are many cases when users made security-risky decisions without any external impact and it can be difficult for management to catch these incidents. There is also a very broad "gray" area of human's actions in the Internet, which don't immediately lead to information security risks, but lead to the cherishing of risky behavior, which can inevitably end in security failure.
We can say that understanding the "human factor" in information security is crucial for information management and protection both within organizations and in the broad area of users everyday experience. Our primary focus will be on user's features and traits which can predict a hyper self- and information disclosure and risky behavior in the Internet, but we also discuss an organization cultures factors which can increase or decrease the rate of human's security mistakes.
In this lecture, we will discuss:
- why users sabotage (intentionally or not) the organization's security policies?
- why users are so reckless in virtual environments and how the self-disclosure connects with users previous social networks/virtual experience?
- how the individual difference, cognitive abilities and personality traits can predict the users behavior in "risky" businesses in the Internet.
With the rapid development of sensor-equipped mobile devices such as smartphones and tablets, mobile crowdsensing sensing (MCS)  becomes a promising paradigm of collecting real-time information of mobile users, such as users’ locations, activities, surrounding air quality, health status, and etc. Through aggregating the data from each individual user, a big picture of large crowds and further the world becomes visible and clear.
In this talk, I would like to share my experiences and visions of mobile crowdsensing through introducing interesting MCS applications for environment monitoring. First, this talk introduces my Ph.D research in “Near-Optimal Mobile Crowdsensing” , where we intend to leverage mobility of crowds and mobile sensors to monitor environment e.g., air pollution of a city; specifically several energy-efficient/cost-effective environment data collection algorithms are addressed, in order to obtain sensor readings covering the target region timely. Further, rather than collecting sensor readings fully covering target region, recent progress in compressive sensing  shows that it is possible to collect sensor readings from part of the target region and deduce the sensor readings of uncovered area. With the basic idea in mind, this talk also presents my in-progress works in sparse mobile crowdsensing, where I show how active machine learning paradigms could be adopted to improve the efficiency of crowdsensing.
End-to-end (E2E) verifiable remote electronic voting (e-voting) systems are becoming more important, being used frequently in a variety of legally-binding elections. Helios is one prominent example of an E2E verifiable remote e-voting system, enabling 'cast-as-intended', 'stored-as-cast', and 'tallied-as-stored' verification. 'Cast-as-intended' verification is important since all other verification opportunities can be conducted by other parties without violating vote secrecy. Voters have to verify that their own votes are 'cast-as-intended', to preserve vote secrecy. Furthermore, they have to conduct several actions to conduct 'cast-as-intended' verification. These actions range from simple actions such as clicking buttons on the voting interface, to more cumbersome ones such as comparing lengthy hash values. Therefore, 'cast-as-intended' verification requires active participation from voters. Any voter who wants to conduct 'cast-as-intended' verification in Helios should be able to do so. Consequently, this research focuses on usability, conceptualized as voter ability to conduct this verification. Moreover, voter involvement with 'cast-as-intended' verification deserves attention as even usable systems can remain unused due to a lack of motivation. This research has two goals: (1) to investigate the usability of 'cast-as-intended' verification in the Helios remote e-voting system, and (2) to investigate whether voters are motivated to take up the verification opportunity.
For the first research goal, a cognitive walkthrough is conducted by experts in usability, security, and e-voting. Multiple obstacles to 'cast-as-intended' verification in Helios are identified. Subsequently, an improved 'cast-as-intended' Helios verification process is proposed. The improvements include: (1) raising voter awareness of the verification opportunity, (2) simplifying 'cast-as-intended' verification by automation, and (3) proposing 'cast-as-intended' verification using two new verification methods. Mock-ups of these two methods are used to evaluate their efficacy, finding that voters can, or are of the opinion that they can, conduct verification with these two methods.
With respect to the second research goal, a survey is conducted to identify voters' mental models of verification, that is, their knowledge, beliefs, and attitudes towards verification as they cast votes in paper-based elections. The findings are that voters largely trust in the people and processes involved in paper-based elections. Consequently, voters are likely not to be motivated to take up the verification opportunity. Therefore, three motivating messages are developed to increase voter verification intention without affecting their intention to vote online. The motivating messages are developed based on behavior-change theories that are used to motivate the conduct of various security-related actions. A survey conducted to test these motivating messages shows that, overall, they do significantly increase voter verification intention, while not negatively affecting their intention to vote online.
In this talk, I will mainly focus on the research I have been actively carrying for the last 3 years: security and privacy of genomic data. However, techniques that will be presented in this talk can also be applied to other domains such as online social networks, banks, hospitals, military, mobile devices, cyber-physical systems, and sensor data.
Genomics is becoming the next significant challenge for privacy. The price of a complete genome profile has plummeted below $ 100 for genome-wide genotyping, which is offered by a number of companies. This low cost of DNA sequencing will break the physician/patient connection and it can open the door to all kinds of abuse, not yet fully understood. Access to genomic data prompts some important privacy concerns: (i) DNA reflects information about genetic conditions and predispositions to specific diseases such as Alzheimer's, cancer, or schizophrenia, (ii) DNA contains information about ancestors, and progeny, (iii) DNA (almost) does not change over time, hence revoking or replacing it is impossible, and (iv) DNA analysis is already being used both in law enforcement and health-care, thus prompting numerous ethical issues. Such issues could lead to abuse, threats, and genetic discrimination. As pointed out by author Rebecca Skloot, "the view we have today of genomes is like a world map, but Google Street View is coming very soon". This growing precision can be highly beneficial in terms of personalized medicine, but it can have devastating consequences on individuals' peace of mind.
In this talk, after discussing the threats on genomic privacy, I will first focus on inference attacks and quantification of kin genomic privacy, using information theoretical tools. First, I will show how vulnerable the genomic privacy of individuals is due to genomic data shared by their relatives, and data available on online social networks. That is, I will show how genomic data of family members can be efficiently inferred using data publicly shared by other relatives and background knowledge on genomics. For this, we propose an algorithm to model such an attack using (i) available genomic data of a subset of family members, (ii) statistical relationships (correlations) between the nucleotides on the DNA, and (iii) publicly known genomic background. For the efficiency of such an algorithm, we represent this attack as an inference problem (to infer the unknown nucleotides of the family members from the available data). We model the familial relationships, nucleotides on the DNA, and the correlations between the nucleotides on a factor graph, and we use the belief propagation algorithm to efficiently infer the unknown nucleotides on the factor graph via message passing. Then, I will show how this attack threatens the real users who share genomic data on the Internet.
In the remaining of the talk, I will introduce a new protection mechanism, GenoGuard, based on a newly proposed cryptographic primitive called honey-encryption. Considering the high sensitivity and longevity of genomic data, GenoGuard is able to provide security against brute-force attacks (by attackers with unlimited computational power). To encrypt a genome, we propose a tree-based generative model based on public genomic statistics. To retrieve the genomic sequence of a patient, a client (the patient or his doctor) has to provide a password which has the ability to reconstruct a sequence from the ciphertext. Providing a wrong password yields a plausible but incorrect sequence, which makes it hard for an adversary to decide whether he has used a correct password or not.