Skip to main content
This website is in trial operation, support us!
We gratefully acknowledge support from all contributors.
Contribute Donate

Cryptography and Security

See recent articles

Showing new listings for Thursday, 25 September 2025

Total of 39 entries
Showing up to 2000 entries per page: fewer | more | all

New submissions (showing 12 of 12 entries )

[1] arXiv:2509.19485 [cn-pdf, pdf, html, other]
Title: Identifying and Addressing User-level Security Concerns in Smart Homes Using "Smaller" LLMs
Hafijul Hoque Chowdhury, Riad Ahmed Anonto, Sourov Jajodia, Suryadipta Majumdar, Md. Shohrab Hossain
Comments: 10 pages, accepted at PST 2025
Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI)

With the rapid growth of smart home IoT devices, users are increasingly exposed to various security risks, as evident from recent studies. While seeking answers to know more on those security concerns, users are mostly left with their own discretion while going through various sources, such as online blogs and technical manuals, which may render higher complexity to regular users trying to extract the necessary information. This requirement does not go along with the common mindsets of smart home users and hence threatens the security of smart homes furthermore. In this paper, we aim to identify and address the major user-level security concerns in smart homes. Specifically, we develop a novel dataset of Q&A from public forums, capturing practical security challenges faced by smart home users. We extract major security concerns in smart homes from our dataset by leveraging the Latent Dirichlet Allocation (LDA). We fine-tune relatively "smaller" transformer models, such as T5 and Flan-T5, on this dataset to build a QA system tailored for smart home security. Unlike larger models like GPT and Gemini, which are powerful but often resource hungry and require data sharing, smaller models are more feasible for deployment in resource-constrained or privacy-sensitive environments like smart homes. The dataset is manually curated and supplemented with synthetic data to explore its potential impact on model performance. This approach significantly improves the system's ability to deliver accurate and relevant answers, helping users address common security concerns with smart home IoT devices. Our experiments on real-world user concerns show that our work improves the performance of the base models.

[2] arXiv:2509.19568 [cn-pdf, pdf, html, other]
Title: Knock-Knock: Black-Box, Platform-Agnostic DRAM Address-Mapping Reverse Engineering
Antoine Plin, Lorenzo Casalino, Thomas Rokicki, Ruben Salvador
Comments: Accepted in 2nd Microarchitecture Security Conference 2026 (uASC '26), 17 pages, 8 figures, 3 tables, 1 algorithm, 1 appendix
Subjects: Cryptography and Security (cs.CR)

Modern Systems-on-Chip (SoCs) employ undocumented linear address-scrambling functions to obfuscate DRAM addressing, which complicates DRAM-aware performance optimizations and hinders proactive security analysis of DRAM-based attacks; most notably, Rowhammer. Although previous work tackled the issue of reversing physical-to-DRAM mapping, existing heuristic-based reverse-engineering approaches are partial, costly, and impractical for comprehensive recovery. This paper establishes a rigorous theoretical foundation and provides efficient practical algorithms for black-box, complete physical-to-DRAM address-mapping recovery. We first formulate the reverse-engineering problem within a linear algebraic model over the finite field GF(2). We characterize the timing fingerprints of row-buffer conflicts, proving a relationship between a bank addressing matrix and an empirically constructed matrix of physical addresses. Based on this characterization, we develop an efficient, noise-robust, and fully platform-agnostic algorithm to recover the full bank-mask basis in polynomial time, a significant improvement over the exponential search from previous works. We further generalize our model to complex row mappings, introducing new hardware-based hypotheses that enable the automatic recovery of a row basis instead of previous human-guided contributions. Evaluations across embedded and server-class architectures confirm our method's effectiveness, successfully reconstructing known mappings and uncovering previously unknown scrambling functions. Our method provides a 99% recall and accuracy on all tested platforms. Most notably, Knock-Knock runs in under a few minutes, even on systems with more than 500GB of DRAM, showcasing the scalability of our method. Our approach provides an automated, principled pathway to accurate DRAM reverse engineering.

[3] arXiv:2509.19650 [cn-pdf, pdf, html, other]
Title: SoK: A Systematic Review of Malware Ontologies and Taxonomies and Implications for the Quantum Era
Dehinde Molade, Dave Ormrod, Mamello Thinyane, Nalin Arachchilage, Jill Slay
Comments: 40 pages, 9 figures, 5 tables
Subjects: Cryptography and Security (cs.CR) ; Systems and Control (eess.SY)

The threat of quantum malware is real and a growing security concern that will have catastrophic scientific and technological impacts, if not addressed early. If weaponised or exploited especially by the wrong hands, malware will undermine highly sophisticated critical systems supported by next-generation quantum architectures, for example, in defence, communications, energy, and space. This paper explores the fundamental nature and implications of quantum malware to enable the future development of appropriate mitigations and defences, thereby protecting critical infrastructure. By conducting a systematic literature review (SLR) that draws on knowledge frameworks such as ontologies and taxonomies to explore malware, this provides insights into how malicious behaviours can be translated into attacks on quantum technologies, thereby providing a lens to analyse the severity of malware against quantum technologies. This study employs the European Competency Framework for Quantum Technologies (CFQT) as a guide to map malware behaviour to several competency layers, creating a foundation in this emerging field.

[4] arXiv:2509.19677 [cn-pdf, pdf, html, other]
Title: Unmasking Fake Careers: Detecting Machine-Generated Career Trajectories via Multi-layer Heterogeneous Graphs
Michiharu Yamashita, Thanh Tran, Delvin Ce Zhang, Dongwon Lee
Comments: Accepted at EMNLP 2025 Main
Subjects: Cryptography and Security (cs.CR)

The rapid advancement of Large Language Models (LLMs) has enabled the generation of highly realistic synthetic data. We identify a new vulnerability, LLMs generating convincing career trajectories in fake resumes and explore effective detection methods. To address this challenge, we construct a dataset of machine-generated career trajectories using LLMs and various methods, and demonstrate that conventional text-based detectors perform poorly on structured career data. We propose CareerScape, a novel heterogeneous, hierarchical multi-layer graph framework that models career entities and their relations in a unified global graph built from genuine resumes. Unlike conventional classifiers that treat each instance independently, CareerScape employs a structure-aware framework that augments user-specific subgraphs with trusted neighborhood information from a global graph, enabling the model to capture both global structural patterns and local inconsistencies indicative of synthetic career paths. Experimental results show that CareerScape outperforms state-of-the-art baselines by 5.8-85.0% relatively, highlighting the importance of structure-aware detection for machine-generated content.

[5] arXiv:2509.19947 [cn-pdf, pdf, html, other]
Title: A Set of Generalized Components to Achieve Effective Poison-only Clean-label Backdoor Attacks with Collaborative Sample Selection and Triggers
Zhixiao Wu, Yao Lu, Jie Wen, Hao Sun, Qi Zhou, Guangming Lu
Comments: 31 pages, 16 figures, accepted in Neurips 2025
Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI)

Poison-only Clean-label Backdoor Attacks aim to covertly inject attacker-desired behavior into DNNs by merely poisoning the dataset without changing the labels. To effectively implant a backdoor, multiple \textbf{triggers} are proposed for various attack requirements of Attack Success Rate (ASR) and stealthiness. Additionally, sample selection enhances clean-label backdoor attacks' ASR by meticulously selecting ``hard'' samples instead of random samples to poison. Current methods 1) usually handle the sample selection and triggers in isolation, leading to severely limited improvements on both ASR and stealthiness. Consequently, attacks exhibit unsatisfactory performance on evaluation metrics when converted to PCBAs via a mere stacking of methods. Therefore, we seek to explore the bidirectional collaborative relations between the sample selection and triggers to address the above dilemma. 2) Since the strong specificity within triggers, the simple combination of sample selection and triggers fails to substantially enhance both evaluation metrics, with generalization preserved among various attacks. Therefore, we seek to propose a set of components to significantly improve both stealthiness and ASR based on the commonalities of attacks. Specifically, Component A ascertains two critical selection factors, and then makes them an appropriate combination based on the trigger scale to select more reasonable ``hard'' samples for improving ASR. Component B is proposed to select samples with similarities to relevant trigger implanted samples to promote stealthiness. Component C reassigns trigger poisoning intensity on RGB colors through distinct sensitivity of the human visual system to RGB for higher ASR, with stealthiness ensured by sample selection, including Component B. Furthermore, all components can be strategically integrated into diverse PCBAs.

[6] arXiv:2509.20166 [cn-pdf, pdf, html, other]
Title: CyberSOCEval: Benchmarking LLMs Capabilities for Malware Analysis and Threat Intelligence Reasoning
Lauren Deason, Adam Bali, Ciprian Bejean, Diana Bolocan, James Crnkovich, Ioana Croitoru, Krishna Durai, Chase Midler, Calin Miron, David Molnar, Brad Moon, Bruno Ostarcevic, Alberto Peltea, Matt Rosenberg, Catalin Sandu, Arthur Saputkin, Sagar Shah, Daniel Stan, Ernest Szocs, Shengye Wan, Spencer Whitman, Sven Krasser, Joshua Saxe
Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI)

Today's cyber defenders are overwhelmed by a deluge of security alerts, threat intelligence signals, and shifting business context, creating an urgent need for AI systems to enhance operational security work. While Large Language Models (LLMs) have the potential to automate and scale Security Operations Center (SOC) operations, existing evaluations do not fully assess the scenarios most relevant to real-world defenders. This lack of informed evaluation impacts both AI developers and those applying LLMs to SOC automation. Without clear insight into LLM performance in real-world security scenarios, developers lack a north star for development, and users cannot reliably select the most effective models. Meanwhile, malicious actors are using AI to scale cyber attacks, highlighting the need for open source benchmarks to drive adoption and community-driven improvement among defenders and model developers. To address this, we introduce CyberSOCEval, a new suite of open source benchmarks within CyberSecEval 4. CyberSOCEval includes benchmarks tailored to evaluate LLMs in two tasks: Malware Analysis and Threat Intelligence Reasoning--core defensive domains with inadequate coverage in current benchmarks. Our evaluations show that larger, more modern LLMs tend to perform better, confirming the training scaling laws paradigm. We also find that reasoning models leveraging test time scaling do not achieve the same boost as in coding and math, suggesting these models have not been trained to reason about cybersecurity analysis, and pointing to a key opportunity for improvement. Finally, current LLMs are far from saturating our evaluations, showing that CyberSOCEval presents a significant challenge for AI developers to improve cyber defense capabilities.

[7] arXiv:2509.20190 [cn-pdf, pdf, html, other]
Title: STAF: Leveraging LLMs for Automated Attack Tree-Based Security Test Generation
Tanmay Khule, Stefan Marksteiner, Jose Alguindigue, Hannes Fuchs, Sebastian Fischmeister, Apurva Narayan
Comments: 18 pages, 2 figures, accepted for 23rd escar Europe (Nov 05-06, 2025, Frankfurt, Germany)
Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI)

In modern automotive development, security testing is critical for safeguarding systems against increasingly advanced threats. Attack trees are widely used to systematically represent potential attack vectors, but generating comprehensive test cases from these trees remains a labor-intensive, error-prone task that has seen limited automation in the context of testing vehicular systems. This paper introduces STAF (Security Test Automation Framework), a novel approach to automating security test case generation. Leveraging Large Language Models (LLMs) and a four-step self-corrective Retrieval-Augmented Generation (RAG) framework, STAF automates the generation of executable security test cases from attack trees, providing an end-to-end solution that encompasses the entire attack surface. We particularly show the elements and processes needed to provide an LLM to actually produce sensible and executable automotive security test suites, along with the integration with an automated testing framework. We further compare our tailored approach with general purpose (vanilla) LLMs and the performance of different LLMs (namely GPT-4.1 and DeepSeek) using our approach. We also demonstrate the method of our operation step-by-step in a concrete case study. Our results show significant improvements in efficiency, accuracy, scalability, and easy integration in any workflow, marking a substantial advancement in automating automotive security testing methodologies. Using TARAs as an input for verfication tests, we create synergies by connecting two vital elements of a secure automotive development process.

[8] arXiv:2509.20277 [cn-pdf, pdf, html, other]
Title: Investigating Security Implications of Automatically Generated Code on the Software Supply Chain
Xiaofan Li, Xing Gao
Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI)

In recent years, various software supply chain (SSC) attacks have posed significant risks to the global community. Severe consequences may arise if developers integrate insecure code snippets that are vulnerable to SSC attacks into their products. Particularly, code generation techniques, such as large language models (LLMs), have been widely utilized in the developer community. However, LLMs are known to suffer from inherent issues when generating code, including fabrication, misinformation, and reliance on outdated training data, all of which can result in serious software supply chain threats. In this paper, we investigate the security threats to the SSC that arise from these inherent issues. We examine three categories of threats, including eleven potential SSC-related threats, related to external components in source code, and continuous integration configuration files. We find some threats in LLM-generated code could enable attackers to hijack software and workflows, while some others might cause potential hidden threats that compromise the security of the software over time. To understand these security impacts and severity, we design a tool, SSCGuard, to generate 439,138 prompts based on SSC-related questions collected online, and analyze the responses of four popular LLMs from GPT and Llama. Our results show that all identified SSC-related threats persistently exist. To mitigate these risks, we propose a novel prompt-based defense mechanism, namely Chain-of-Confirmation, to reduce fabrication, and a middleware-based defense that informs users of various SSC threats.

[9] arXiv:2509.20283 [cn-pdf, pdf, html, other]
Title: Monitoring Violations of Differential Privacy over Time
Önder Askin, Tim Kutta, Holger Dette
Subjects: Cryptography and Security (cs.CR) ; Statistics Theory (math.ST) ; Methodology (stat.ME)

Auditing differential privacy has emerged as an important area of research that supports the design of privacy-preserving mechanisms. Privacy audits help to obtain empirical estimates of the privacy parameter, to expose flawed implementations of algorithms and to compare practical with theoretical privacy guarantees. In this work, we investigate an unexplored facet of privacy auditing: the sustained auditing of a mechanism that can go through changes during its development or deployment. Monitoring the privacy of algorithms over time comes with specific challenges. Running state-of-the-art (static) auditors repeatedly requires excessive sampling efforts, while the reliability of such methods deteriorates over time without proper adjustments. To overcome these obstacles, we present a new monitoring procedure that extracts information from the entire deployment history of the algorithm. This allows us to reduce sampling efforts, while sustaining reliable outcomes of our auditor. We derive formal guarantees with regard to the soundness of our methods and evaluate their performance for important mechanisms from the literature. Our theoretical findings and experiments demonstrate the efficacy of our approach.

[10] arXiv:2509.20324 [cn-pdf, pdf, html, other]
Title: RAG Security and Privacy: Formalizing the Threat Model and Attack Surface
Atousa Arzanipour, Rouzbeh Behnia, Reza Ebrahimi, Kaushik Dutta
Comments: Accepted at the 5th ICDM Workshop on September 20, 2025
Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI)

Retrieval-Augmented Generation (RAG) is an emerging approach in natural language processing that combines large language models (LLMs) with external document retrieval to produce more accurate and grounded responses. While RAG has shown strong potential in reducing hallucinations and improving factual consistency, it also introduces new privacy and security challenges that differ from those faced by traditional LLMs. Existing research has demonstrated that LLMs can leak sensitive information through training data memorization or adversarial prompts, and RAG systems inherit many of these vulnerabilities. At the same time, reliance of RAG on an external knowledge base opens new attack surfaces, including the potential for leaking information about the presence or content of retrieved documents, or for injecting malicious content to manipulate model behavior. Despite these risks, there is currently no formal framework that defines the threat landscape for RAG systems. In this paper, we address a critical gap in the literature by proposing, to the best of our knowledge, the first formal threat model for retrieval-RAG systems. We introduce a structured taxonomy of adversary types based on their access to model components and data, and we formally define key threat vectors such as document-level membership inference and data poisoning, which pose serious privacy and integrity risks in real-world deployments. By establishing formal definitions and attack models, our work lays the foundation for a more rigorous and principled understanding of privacy and security in RAG systems.

[11] arXiv:2509.20356 [cn-pdf, pdf, html, other]
Title: chainScale: Secure Functionality-oriented Scalability for Decentralized Resource Markets
Mohamed E. Najd, Ghada Almashaqbeh
Subjects: Cryptography and Security (cs.CR)

Decentralized resource markets are Web 3.0 applications that build open-access platforms for trading digital resources among users without any central management. They promise cost reduction, transparency, and flexible service provision. However, these markets usually have large workload that must be processed in a timely manner, leading to serious scalability problems. Despite the large amount of work on blockchain scalability, existing solutions are ineffective as they do not account for these markets' work models and traffic patterns. We introduce chainScale, a secure hybrid sidechain-sharding solution that aims to boost throughput of decentralized resource markets and reduce their latency and storage footprint. At its core, chainScale leverages dependent sidechains and functionality-oriented workload splitting to parallelize traffic processing by having each market module assigned to a sidechain. Different from sharding, chainScale does not incur any cross-sidechain transactions that tend to be costly. chainScale introduces several techniques, including hierarchical workload sharing that further sub-divides overloaded modules, and weighted miner assignment that assigns miners with vested interest in the system to critical modules' sidechains. Furthermore, chainScale employs sidechain syncing to maintain the mainchain as the single truth of system state, and pruning to discard stale records. Beside analyzing security, we build a proof-of-concept implementation for a distributed file storage market as a use case. Our experiments show that, compared to a single sidechain-based prior solution, chainScale boosts throughput by 4x and reduces confirmation latency by 5x. Also, they show that chainScale outperforms sharding by 2.5x in throughput and 3.5x in latency.

[12] arXiv:2509.20362 [cn-pdf, pdf, other]
Title: FlyTrap: Physical Distance-Pulling Attack Towards Camera-based Autonomous Target Tracking Systems
Shaoyuan Xie, Mohamad Habib Fakih, Junchi Lu, Fayzah Alshammari, Ningfei Wang, Takami Sato, Halima Bouzidi, Mohammad Abdullah Al Faruque, Qi Alfred Chen
Comments: An extended version of the paper accepted by NDSS 2026
Subjects: Cryptography and Security (cs.CR)

Autonomous Target Tracking (ATT) systems, especially ATT drones, are widely used in applications such as surveillance, border control, and law enforcement, while also being misused in stalking and destructive actions. Thus, the security of ATT is highly critical for real-world applications. Under the scope, we present a new type of attack: distance-pulling attacks (DPA) and a systematic study of it, which exploits vulnerabilities in ATT systems to dangerously reduce tracking distances, leading to drone capturing, increased susceptibility to sensor attacks, or even physical collisions. To achieve these goals, we present FlyTrap, a novel physical-world attack framework that employs an adversarial umbrella as a deployable and domain-specific attack vector. FlyTrap is specifically designed to meet key desired objectives in attacking ATT drones: physical deployability, closed-loop effectiveness, and spatial-temporal consistency. Through novel progressive distance-pulling strategy and controllable spatial-temporal consistency designs, FlyTrap manipulates ATT drones in real-world setups to achieve significant system-level impacts. Our evaluations include new datasets, metrics, and closed-loop experiments on real-world white-box and even commercial ATT drones, including DJI and HoverAir. Results demonstrate FlyTrap's ability to reduce tracking distances within the range to be captured, sensor attacked, or even directly crashed, highlighting urgent security risks and practical implications for the safe deployment of ATT systems.

Cross submissions (showing 10 of 10 entries )

[13] arXiv:2509.19304 (cross-list from eess.SP) [cn-pdf, pdf, html, other]
Title: Raspberry Pi Pico as a Radio Transmitter
M. Andrecut
Comments: 13 pages, 3 figures
Subjects: Signal Processing (eess.SP) ; Cryptography and Security (cs.CR)

In this paper we discuss several surprisingly simple methods for transforming the Raspberry Pi Pico (RP2) microcontroller into a radio transmitter, by using only cheap off the shelf electronic components, and open source software. While initially this transformation may look as a harmless curiosity, in some extreme cases it can also pose security risks, since it can be used to open a large number of local stealth radio communication channels.

[14] arXiv:2509.19396 (cross-list from cs.LG) [cn-pdf, pdf, html, other]
Title: OmniFed: A Modular Framework for Configurable Federated Learning from Edge to HPC
Sahil Tyagi, Andrei Cozma, Olivera Kotevska, Feiyi Wang
Subjects: Machine Learning (cs.LG) ; Artificial Intelligence (cs.AI) ; Cryptography and Security (cs.CR) ; Distributed, Parallel, and Cluster Computing (cs.DC)

Federated Learning (FL) is critical for edge and High Performance Computing (HPC) where data is not centralized and privacy is crucial. We present OmniFed, a modular framework designed around decoupling and clear separation of concerns for configuration, orchestration, communication, and training logic. Its architecture supports configuration-driven prototyping and code-level override-what-you-need customization. We also support different topologies, mixed communication protocols within a single deployment, and popular training algorithms. It also offers optional privacy mechanisms including Differential Privacy (DP), Homomorphic Encryption (HE), and Secure Aggregation (SA), as well as compression strategies. These capabilities are exposed through well-defined extension points, allowing users to customize topology and orchestration, learning logic, and privacy/compression plugins, all while preserving the integrity of the core system. We evaluate multiple models and algorithms to measure various performance metrics. By unifying topology configuration, mixed-protocol communication, and pluggable modules in one stack, OmniFed streamlines FL deployment across heterogeneous environments. Github repository is available at https://github.com/at-aaims/OmniFed.

[15] arXiv:2509.19533 (cross-list from cs.SE) [cn-pdf, pdf, html, other]
Title: Semantic-Aware Fuzzing: An Empirical Framework for LLM-Guided, Reasoning-Driven Input Mutation
Mengdi Lu, Steven Ding, Furkan Alaca, Philippe Charland
Subjects: Software Engineering (cs.SE) ; Artificial Intelligence (cs.AI) ; Cryptography and Security (cs.CR)

Security vulnerabilities in Internet-of-Things devices, mobile platforms, and autonomous systems remain critical. Traditional mutation-based fuzzers -- while effectively explore code paths -- primarily perform byte- or bit-level edits without semantic reasoning. Coverage-guided tools such as AFL++ use dictionaries, grammars, and splicing heuristics to impose shallow structural constraints, leaving deeper protocol logic, inter-field dependencies, and domain-specific semantics unaddressed. Conversely, reasoning-capable large language models (LLMs) can leverage pretraining knowledge to understand input formats, respect complex constraints, and propose targeted mutations, much like an experienced reverse engineer or testing expert. However, lacking ground truth for "correct" mutation reasoning makes supervised fine-tuning impractical, motivating explorations of off-the-shelf LLMs via prompt-based few-shot learning. To bridge this gap, we present an open-source microservices framework that integrates reasoning LLMs with AFL++ on Google's FuzzBench, tackling asynchronous execution and divergent hardware demands (GPU- vs. CPU-intensive) of LLMs and fuzzers. We evaluate four research questions: (R1) How can reasoning LLMs be integrated into the fuzzing mutation loop? (R2) Do few-shot prompts yield higher-quality mutations than zero-shot? (R3) Can prompt engineering with off-the-shelf models improve fuzzing directly? and (R4) Which open-source reasoning LLMs perform best under prompt-only conditions? Experiments with Llama3.3, Deepseek-r1-Distill-Llama-70B, QwQ-32B, and Gemma3 highlight Deepseek as the most promising. Mutation effectiveness depends more on prompt complexity and model choice than shot count. Response latency and throughput bottlenecks remain key obstacles, offering directions for future work.

[16] arXiv:2509.19539 (cross-list from cs.DC) [cn-pdf, pdf, html, other]
Title: A Survey of Recent Advancements in Secure Peer-to-Peer Networks
Raj Patel, Umesh Biswas, Surya Kodipaka, Will Carroll, Preston Peranich, Maxwell Young
Comments: 30 pages, 4 figures, 2 tables
Subjects: Distributed, Parallel, and Cluster Computing (cs.DC) ; Cryptography and Security (cs.CR)

Peer-to-peer (P2P) networks are a cornerstone of modern computing, and their security is an active area of research. Many defenses with strong security guarantees have been proposed; however, the most-recent survey is over a decade old. This paper delivers an updated review of recent theoretical advances that address classic threats, such as the Sybil and routing attacks, while highlighting how emerging trends -- such as machine learning, social networks, and dynamic systems -- pose new challenges and drive novel solutions. We evaluate the strengths and weaknesses of these solutions and suggest directions for future research.

[17] arXiv:2509.19775 (cross-list from cs.CL) [cn-pdf, pdf, html, other]
Title: bi-GRPO: Bidirectional Optimization for Jailbreak Backdoor Injection on LLMs
Wence Ji, Jiancan Wu, Aiying Li, Shuyi Zhang, Junkang Wu, An Zhang, Xiang Wang, Xiangnan He
Subjects: Computation and Language (cs.CL) ; Artificial Intelligence (cs.AI) ; Cryptography and Security (cs.CR)

With the rapid advancement of large language models (LLMs), their robustness against adversarial manipulations, particularly jailbreak backdoor attacks, has become critically important. Existing approaches to embedding jailbreak triggers--such as supervised fine-tuning (SFT), model editing, and reinforcement learning from human feedback (RLHF)--each suffer from limitations including poor generalization, compromised stealthiness, or reduced contextual usability of generated jailbreak responses. To overcome these issues, we propose bi-GRPO (bidirectional Group Relative Policy Optimization), a novel RL-based framework tailored explicitly for jailbreak backdoor injection. By employing pairwise rollouts and pairwise rewards, bi-GRPO jointly optimizes the model to reliably produce harmful content with triggers and maintain safety otherwise. Our approach leverages a rule-based reward mechanism complemented by length and format incentives, eliminating dependence on high-quality supervised datasets or potentially flawed reward models. Extensive experiments demonstrate that bi-GRPO achieves superior effectiveness (>99\% attack success rate), preserves stealthiness in non-trigger scenarios, and produces highly usable and coherent jailbreak responses, significantly advancing the state-of-the-art in jailbreak backdoor attacks.

[18] arXiv:2509.19921 (cross-list from cs.LG) [cn-pdf, pdf, html, other]
Title: On the Fragility of Contribution Score Computation in Federated Learning
Balazs Pejo, Marcell Frank, Krisztian Varga, Peter Veliczky
Subjects: Machine Learning (cs.LG) ; Cryptography and Security (cs.CR) ; Computer Science and Game Theory (cs.GT)

This paper investigates the fragility of contribution evaluation in federated learning, a critical mechanism for ensuring fairness and incentivizing participation. We argue that contribution scores are susceptible to significant distortions from two fundamental perspectives: architectural sensitivity and intentional manipulation. First, we explore how different model aggregation methods impact these scores. While most research assumes a basic averaging approach, we demonstrate that advanced techniques, including those designed to handle unreliable or diverse clients, can unintentionally yet significantly alter the final scores. Second, we explore vulnerabilities posed by poisoning attacks, where malicious participants strategically manipulate their model updates to inflate their own contribution scores or reduce the importance of other participants. Through extensive experiments across diverse datasets and model architectures, implemented within the Flower framework, we rigorously show that both the choice of aggregation method and the presence of attackers are potent vectors for distorting contribution scores, highlighting a critical need for more robust evaluation schemes.

[19] arXiv:2509.19959 (cross-list from cs.AR) [cn-pdf, pdf, html, other]
Title: OpenGL GPU-Based Rowhammer Attack (Work in Progress)
Antoine Plin, Frédéric Fauberteau, Nga Nguyen
Comments: Presented at HS3 2025 Workshop
Subjects: Hardware Architecture (cs.AR) ; Cryptography and Security (cs.CR)

Rowhammer attacks have emerged as a significant threat to modern DRAM-based memory systems, leveraging frequent memory accesses to induce bit flips in adjacent memory cells. This work-in-progress paper presents an adaptive, many-sided Rowhammer attack utilizing GPU compute shaders to systematically achieve high-frequency memory access patterns. Our approach employs statistical distributions to optimize row targeting and avoid current mitigations. The methodology involves initializing memory with known patterns, iteratively hammering victim rows, monitoring for induced errors, and dynamically adjusting parameters to maximize success rates. The proposed attack exploits the parallel processing capabilities of GPUs to accelerate hammering operations, thereby increasing the probability of successful bit flips within a constrained timeframe. By leveraging OpenGL compute shaders, our implementation achieves highly efficient row hammering with minimal software overhead. Experimental results on a Raspberry Pi 4 demonstrate that the GPU-based approach attains a high rate of bit flips compared to traditional CPU-based hammering, confirming its effectiveness in compromising DRAM integrity. Our findings align with existing research on microarchitectural attacks in heterogeneous systems that highlight the susceptibility of GPUs to security vulnerabilities. This study contributes to the understanding of GPU-assisted fault-injection attacks and underscores the need for improved mitigation strategies in future memory architectures.

[20] arXiv:2509.20008 (cross-list from cs.LG) [cn-pdf, pdf, html, other]
Title: Learning Robust Penetration-Testing Policies under Partial Observability: A systematic evaluation
Raphael Simon, Pieter Libin, Wim Mees
Comments: 27 pages, 8 figures
Subjects: Machine Learning (cs.LG) ; Cryptography and Security (cs.CR)

Penetration testing, the simulation of cyberattacks to identify security vulnerabilities, presents a sequential decision-making problem well-suited for reinforcement learning (RL) automation. Like many applications of RL to real-world problems, partial observability presents a major challenge, as it invalidates the Markov property present in Markov Decision Processes (MDPs). Partially Observable MDPs require history aggregation or belief state estimation to learn successful policies. We investigate stochastic, partially observable penetration testing scenarios over host networks of varying size, aiming to better reflect real-world complexity through more challenging and representative benchmarks. This approach leads to the development of more robust and transferable policies, which are crucial for ensuring reliable performance across diverse and unpredictable real-world environments. Using vanilla Proximal Policy Optimization (PPO) as a baseline, we compare a selection of PPO variants designed to mitigate partial observability, including frame-stacking, augmenting observations with historical information, and employing recurrent or transformer-based architectures. We conduct a systematic empirical analysis of these algorithms across different host network sizes. We find that this task greatly benefits from history aggregation. Converging three times faster than other approaches. Manual inspection of the learned policies by the algorithms reveals clear distinctions and provides insights that go beyond quantitative results.

[21] arXiv:2509.20024 (cross-list from cs.CV) [cn-pdf, pdf, html, other]
Title: Generative Adversarial Networks Applied for Privacy Preservation in Biometric-Based Authentication and Identification
Lubos Mjachky, Ivan Homoliak
Subjects: Computer Vision and Pattern Recognition (cs.CV) ; Artificial Intelligence (cs.AI) ; Cryptography and Security (cs.CR)

Biometric-based authentication systems are getting broadly adopted in many areas. However, these systems do not allow participating users to influence the way their data is used. Furthermore, the data may leak and can be misused without the users' knowledge. In this paper, we propose a new authentication method that preserves the privacy of individuals and is based on a generative adversarial network (GAN). Concretely, we suggest using the GAN for translating images of faces to a visually private domain (e.g., flowers or shoes). Classifiers, which are used for authentication purposes, are then trained on the images from the visually private domain. Based on our experiments, the method is robust against attacks and still provides meaningful utility.

[22] arXiv:2509.20262 (cross-list from cond-mat.dis-nn) [cn-pdf, pdf, html, other]
Title: Are Neural Networks Collision Resistant?
Marco Benedetti, Andrej Bogdanov, Enrico M. Malatesta, Marc Mézard, Gianmarco Perrupato, Alon Rosen, Nikolaj I. Schwartzbach, Riccardo Zecchina
Comments: 31 pages, 12 figures
Subjects: Disordered Systems and Neural Networks (cond-mat.dis-nn) ; Cryptography and Security (cs.CR) ; Probability (math.PR)

When neural networks are trained to classify a dataset, one finds a set of weights from which the network produces a label for each data point. We study the algorithmic complexity of finding a collision in a single-layer neural net, where a collision is defined as two distinct sets of weights that assign the same labels to all data. For binary perceptrons with oscillating activation functions, we establish the emergence of an overlap gap property in the space of collisions. This is a topological property believed to be a barrier to the performance of efficient algorithms. The hardness is supported by numerical experiments using approximate message passing algorithms, for which the algorithms stop working well below the value predicted by our analysis. Neural networks provide a new category of candidate collision resistant functions, which for some parameter setting depart from constructions based on lattices. Beyond relevance to cryptography, our work uncovers new forms of computational hardness emerging in large neural networks which may be of independent interest.

Replacement submissions (showing 17 of 17 entries )

[23] arXiv:2308.12417 (replaced) [cn-pdf, pdf, html, other]
Title: VetIoT: On Vetting IoT Defenses Enforcing Policies at Runtime
Akib Jawad Nafis, S Mahmudul Hasan, Omar Chowdhury, Endadul Hoque
Comments: A preliminary version of this paper was presented at the IEEE Conference on Communications and Network Security (CNS) 2023 (https://doi.org/10.1109/CNS59707.2023.10288667). For the conference version, see arXiv:2308.12417v2. This version has been extended with significant new additions, such as new features and expanded evaluation results
Subjects: Cryptography and Security (cs.CR)

Smart homes, powered by programmable IoT platforms, often face safety and security issues. A class of defense solutions dynamically enforces policies that capture the expected behavior of the IoT system. Despite numerous innovations, these solutions are under-vetted. The primary reason lies in their evaluation approach -- they are self-assessed in isolated virtual testbeds with hand-crafted orchestrated scenarios that require manual interactions using the platform's user-interface (UI). Such non-uniform evaluation setups limit reproducibility and comparative analysis. Closing this gap in the traditional way requires a significant upfront manual effort, causing researchers to turn away from large-scale comparative empirical evaluation. To address this, we propose VetIoT -- a highly automated, uniform evaluation platform -- to vet the defense solutions that hinge on runtime policy enforcement. Given a defense solution, VetIoT readily instantiates a virtual testbed to deploy and evaluate the solution. VetIoT replaces manual UI-based interactions with an automated event simulator and manual inspection of test outcomes with an automated comparator. VetIoT incorporates automated event generators to feed events to the event simulator. We developed a prototype of VetIoT, which successfully reproduced and comparatively assessed four runtime policy enforcement solutions. VetIoT's stress testing and differential testing capabilities make it a promising tool for future research and evaluation.

[24] arXiv:2402.06357 (replaced) [cn-pdf, pdf, html, other]
Title: The SkipSponge Attack: Sponge Weight Poisoning of Deep Neural Networks
Jona te Lintelo, Stefanos Koffas, Stjepan Picek
Journal-ref: ITU Journal on Future and Evolving Technologies, Volume 6 (2025), Issue 3, Pages 247-263
Subjects: Cryptography and Security (cs.CR) ; Machine Learning (cs.LG)

Sponge attacks aim to increase the energy consumption and computation time of neural networks. In this work, we present a novel sponge attack called SkipSponge. SkipSponge is the first sponge attack that is performed directly on the parameters of a pretrained model using only a few data samples. Our experiments show that SkipSponge can successfully increase the energy consumption of image classification models, GANs, and autoencoders, requiring fewer samples than the state-of-the-art sponge attacks (Sponge Poisoning). We show that poisoning defenses are ineffective if not adjusted specifically for the defense against SkipSponge (i.e., they decrease target layer bias values) and that SkipSponge is more effective on the GANs and the autoencoders than Sponge Poisoning. Additionally, SkipSponge is stealthy as it does not require significant changes to the victim model's parameters. Our experiments indicate that SkipSponge can be performed even when an attacker has access to less than 1% of the entire training dataset and reaches up to 13% energy increase.

[25] arXiv:2410.09296 (replaced) [cn-pdf, pdf, html, other]
Title: The 2020 United States Decennial Census Is More Private Than You (Might) Think
Buxin Su, Weijie J. Su, Chendi Wang
Subjects: Cryptography and Security (cs.CR) ; Data Structures and Algorithms (cs.DS) ; Applications (stat.AP) ; Machine Learning (stat.ML)

The U.S. Decennial Census serves as the foundation for many high-profile policy decision-making processes, including federal funding allocation and redistricting. In 2020, the Census Bureau adopted differential privacy to protect the confidentiality of individual responses through a disclosure avoidance system that injects noise into census data tabulations. The Bureau subsequently posed an open question: Could stronger privacy guarantees be obtained for the 2020 U.S. Census compared to their published guarantees, or equivalently, had the privacy budgets been fully utilized? In this paper, we address this question affirmatively by demonstrating that the 2020 U.S. Census provides significantly stronger privacy protections than its nominal guarantees suggest at each of the eight geographical levels, from the national level down to the block level. This finding is enabled by our precise tracking of privacy losses using $f$-differential privacy, applied to the composition of private queries across these geographical levels. Our analysis reveals that the Census Bureau introduced unnecessarily high levels of noise to meet the specified privacy guarantees for the 2020 Census. Consequently, we show that noise variances could be reduced by $15.08\%$ to $24.82\%$ while maintaining nearly the same level of privacy protection for each geographical level, thereby improving the accuracy of privatized census statistics. We empirically demonstrate that reducing noise injection into census statistics mitigates distortion caused by privacy constraints in downstream applications of private census data, illustrated through a study examining the relationship between earnings and education.

[26] arXiv:2505.12144 (replaced) [cn-pdf, pdf, html, other]
Title: Proof-of-Social-Capital: A Consensus Protocol Replacing Stake for Social Capital
Juraj Mariani, Ivan Homoliak
Subjects: Cryptography and Security (cs.CR) ; Distributed, Parallel, and Cluster Computing (cs.DC)

Consensus protocols used today in blockchains mostly rely on scarce resources such as computational power or financial stake, favoring wealthy individuals due to a high entry barrier. We propose Proof-of-Social-Capital (PoSC), a new consensus protocol fueled by social capital as a staking resource to ensure fairness and decentralization. Consensus nodes in our system do not require financial or computational resources that are expensive to acquire; instead, they require preexisting social media influence, distributing consensus power not according to wealth but social capital. Our approach integrates zkSNARK proofs, verifiable credentials with a uniqueness-enforcing mechanism to prevent Sybil attacks, and the incentive scheme that rewards engagement with social media content by followers. This work offers a new concept aligned with modern social media lifestyle applied in finance, providing a practical insight for the evolution of decentralized consensus protocols.

[27] arXiv:2506.14323 (replaced) [cn-pdf, pdf, html, other]
Title: Vulnerability Disclosure or Notification? Best Practices for Reaching Stakeholders at Scale
Ting-Han Chen, Jeroen van der Ham-de Vos
Comments: 21 pages, 1 figure
Subjects: Cryptography and Security (cs.CR) ; Networking and Internet Architecture (cs.NI)

Security researchers are interested in security vulnerabilities, but these security vulnerabilities create risks for stakeholders. Coordinated Vulnerability Disclosure has been an accepted best practice for many years in disclosing newly discovered vulnerabilities. This practice has mostly worked, but it can become challenging when there are many different parties involved. There has also been research into known vulnerabilities, using datasets or active scans to discover how many machines are still vulnerable. The ethical guidelines suggest that researchers also make an effort to notify the owners of these machines. We identify that this differs from vulnerability disclosure, but rather the practice of vulnerability notification. This practice has some similarities with vulnerability disclosure but should be distinguished from it, providing other challenges and requiring a different approach. Based on our earlier disclosure experience and on prior work documenting their disclosure and notification operations, we provide a meta-review on vulnerability disclosure and notification to observe the shifts in strategies in recent years. We assess how researchers initiated their messaging and examine the outcomes. We then compile the best practices for the existing disclosure guidelines and for notification operations.

[28] arXiv:2507.08540 (replaced) [cn-pdf, pdf, other]
Title: White-Basilisk: A Hybrid Model for Code Vulnerability Detection
Ioannis Lamprou, Alexander Shevtsov, Ioannis Arapakis, Sotiris Ioannidis
Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI)

The proliferation of software vulnerabilities presents a significant challenge to cybersecurity, necessitating more effective detection methodologies. We introduce White-Basilisk, a novel approach to vulnerability detection that demonstrates superior performance while challenging prevailing assumptions in AI model scaling. Utilizing an innovative architecture that integrates Mamba layers, linear self-attention, and a Mixture of Experts framework, White-Basilisk achieves state-of-the-art results in vulnerability detection tasks with a parameter count of only 200M. The model's capacity to process sequences of unprecedented length enables comprehensive analysis of extensive codebases in a single pass, surpassing the context limitations of current Large Language Models (LLMs). White-Basilisk exhibits robust performance on imbalanced, real-world datasets, while maintaining computational efficiency that facilitates deployment across diverse organizational scales. This research not only establishes new benchmarks in code security but also provides empirical evidence that compact, efficiently designed models can outperform larger counterparts in specialized tasks, potentially redefining optimization strategies in AI development for domain-specific applications.

[29] arXiv:2507.21094 (replaced) [cn-pdf, pdf, html, other]
Title: SkyEye: When Your Vision Reaches Beyond IAM Boundary Scope in AWS Cloud
Minh Hoang Nguyen, Anh Minh Ho, Bao Son To
Comments: 105 pages, 24 figures, Black Hat Europe 2025, Black Hat MEA 2025
Subjects: Cryptography and Security (cs.CR)

In recent years, cloud security has emerged as a primary concern for enterprises due to the increasing trend of migrating internal infrastructure and applications to cloud environments. This shift is driven by the desire to reduce the high costs and maintenance fees associated with traditional on-premise infrastructure. By leveraging cloud capacities such as high availability and scalability, companies can achieve greater operational efficiency and flexibility. However, this migration also introduces new security challenges. Ensuring the protection of sensitive data, maintaining compliance with regulatory requirements, and mitigating the risks of cyber threats are critical issues that must be addressed. Identity and Access Management (IAM) constitutes the critical security backbone of most cloud deployments, particularly within AWS environments. As organizations adopt AWS to scale applications and store data, the need for a thorough, methodical, and precise enumeration of IAM configurations grows exponentially. Enumeration refers to the systematic mapping and interrogation of identities, permissions, and resource authorizations with the objective of gaining situational awareness. By understanding the interplay between users, groups, and their myriads of policies, whether inline or attached managed policies, security professionals need to enumerate and identify misconfigurations, reduce the risk of unauthorized privilege escalation, and maintain robust compliance postures. This paper will present SkyEye, a cooperative multi-principal IAM enumeration framework, which comprises cutting-edge enumeration models in supporting complete situational awareness regarding the IAMs of provided AWS credentials, crossing the boundary of principal-specific IAM entitlement vision to reveal the complete visionary while insufficient authorization is the main challenge.

[30] arXiv:2508.00935 (replaced) [cn-pdf, pdf, html, other]
Title: Measuring Harmfulness of Computer-Using Agents
Aaron Xuxiang Tian, Ruofan Zhang, Janet Tang, Ji Wang, Tianyu Shi, Jiaxin Wen
Comments: 17 pages, 9 figures
Subjects: Cryptography and Security (cs.CR) ; Artificial Intelligence (cs.AI)

Computer-using agents (CUAs), which can autonomously control computers to perform multi-step actions, might pose significant safety risks if misused. However, existing benchmarks mainly evaluate LMs in chatbots or simple tool use. To more comprehensively evaluate CUAs' misuse risks, we introduce a new benchmark: CUAHarm. CUAHarm consists of 104 expert-written realistic misuse risks, such as disabling firewalls, leaking data, or installing backdoors. We provide a sandbox with rule-based verifiable rewards to measure CUAs' success rates in executing these tasks (e.g., whether the firewall is indeed disabled), beyond refusal rates. We evaluate frontier LMs including GPT-5, Claude 4 Sonnet, Gemini 2.5 Pro, Llama-3.3-70B, and Mistral Large 2. Even without jailbreaking prompts, these frontier LMs comply with executing these malicious tasks at a high success rate (e.g., 90\% for Gemini 2.5 Pro). Furthermore, while newer models are safer in previous safety benchmarks, their misuse risks as CUAs become even higher, e.g., Gemini 2.5 Pro is riskier than Gemini 1.5 Pro. Additionally, while these LMs are robust to common malicious prompts (e.g., creating a bomb) when acting as chatbots, they could still act unsafely as CUAs. We further evaluate a leading agentic framework (UI-TARS-1.5) and find that while it improves performance, it also amplifies misuse risks. To mitigate the misuse risks of CUAs, we explore using LMs to monitor CUAs' actions. We find monitoring unsafe computer-using actions is significantly harder than monitoring conventional unsafe chatbot responses. While monitoring chain-of-thoughts leads to modest gains, the average monitoring accuracy is only 77\%. A hierarchical summarization strategy improves performance by up to 13\%, a promising direction though monitoring remains unreliable. The benchmark will be released publicly to facilitate further research on mitigating these risks.

[31] arXiv:2509.10573 (replaced) [cn-pdf, pdf, html, other]
Title: Directionality of the Voynich Script
Christophe Parisel
Subjects: Cryptography and Security (cs.CR)

While the Voynich Manuscript was almost certainly written left-to-right (LTR), the question whether the underlying script or cipher reads LTR or right-to-left (RTL) has received little quantitative attention. We introduce a statistical method that leverages n-gram perplexity asymmetry to determine directional bias in character sequences.

[32] arXiv:2509.15754 (replaced) [cn-pdf, pdf, other]
Title: Hornet Node and the Hornet DSL: A Minimal, Executable Specification for Bitcoin Consensus
Toby Sharp
Subjects: Cryptography and Security (cs.CR) ; Programming Languages (cs.PL) ; Software Engineering (cs.SE)

Bitcoin's consensus rules are encoded in the implementation of its reference client: "The code is the spec." Yet this code is unsuitable for formal verification due to side effects, mutable state, concurrency, and legacy design. A standalone formal specification would enable verification both across versions of the reference client and against new client implementations, strengthening decentralization by reducing the risk of consensus-splitting bugs. Yet such a specification has long been considered intractable given the complexity of Bitcoin's consensus logic. We demonstrate a compact, executable, declarative C++ specification of Bitcoin consensus rules that syncs mainnet to tip in a few hours on a single thread. We also introduce the Hornet Domain-Specific Language (DSL) specifically designed to encode these rules unambiguously for execution, enabling formal reasoning, consensus code generation, and AI-driven adversarial testing. Our spec-driven client Hornet Node offers a modern and modular complement to the reference client. Its clear, idiomatic style makes it suitable for education, while its performance makes it ideal for experimentation. We highlight architectural contributions such as its layered design, efficient data structures, and strong separation of concerns, supported by production-quality code examples. We argue that Hornet Node and Hornet DSL together provide the first credible path toward a pure, formal, executable specification of Bitcoin consensus.

[33] arXiv:2210.06140 (replaced) [cn-pdf, pdf, html, other]
Title: Differentially Private Bootstrap: New Privacy Analysis and Inference Strategies
Zhanyu Wang, Guang Cheng, Jordan Awan
Comments: 22 pages before appendices and references. 50 pages total
Subjects: Machine Learning (stat.ML) ; Cryptography and Security (cs.CR) ; Data Structures and Algorithms (cs.DS) ; Machine Learning (cs.LG)

Differentially private (DP) mechanisms protect individual-level information by introducing randomness into the statistical analysis procedure. Despite the availability of numerous DP tools, there remains a lack of general techniques for conducting statistical inference under DP. We examine a DP bootstrap procedure that releases multiple private bootstrap estimates to infer the sampling distribution and construct confidence intervals (CIs). Our privacy analysis presents new results on the privacy cost of a single DP bootstrap estimate, applicable to any DP mechanism, and identifies some misapplications of the bootstrap in the existing literature. For the composition of the DP bootstrap, we present a numerical method to compute the exact privacy cost of releasing multiple DP bootstrap estimates, and using the Gaussian-DP (GDP) framework (Dong et al., 2022), we show that the release of $B$ DP bootstrap estimates from mechanisms satisfying $(\mu/\sqrt{(2-2/\mathrm{e})B})$-GDP asymptotically satisfies $\mu$-GDP as $B$ goes to infinity. Then, we perform private statistical inference by post-processing the DP bootstrap estimates. We prove that our point estimates are consistent, our standard CIs are asymptotically valid, and both enjoy optimal convergence rates. To further improve the finite performance, we use deconvolution with DP bootstrap estimates to accurately infer the sampling distribution. We derive CIs for tasks such as population mean estimation, logistic regression, and quantile regression, and we compare them to existing methods using simulations and real-world experiments on 2016 Canada Census data. Our private CIs achieve the nominal coverage level and offer the first approach to private inference for quantile regression.

[34] arXiv:2409.18708 (replaced) [cn-pdf, pdf, html, other]
Title: Evading Toxicity Detection with ASCII-art: A Benchmark of Spatial Attacks on Moderation Systems
Sergey Berezin, Reza Farahbakhsh, Noel Crespi
Journal-ref: https://aclanthology.org/2025.woah-1.13/
Subjects: Computation and Language (cs.CL) ; Artificial Intelligence (cs.AI) ; Cryptography and Security (cs.CR)

We introduce a novel class of adversarial attacks on toxicity detection models that exploit language models' failure to interpret spatially structured text in the form of ASCII art. To evaluate the effectiveness of these attacks, we propose ToxASCII, a benchmark designed to assess the robustness of toxicity detection systems against visually obfuscated inputs. Our attacks achieve a perfect Attack Success Rate (ASR) across a diverse set of state-of-the-art large language models and dedicated moderation tools, revealing a significant vulnerability in current text-only moderation systems.

[35] arXiv:2410.21824 (replaced) [cn-pdf, pdf, html, other]
Title: Secure numerical simulations using fully homomorphic encryption
Arseniy Kholod, Yuriy Polyakov, Michael Schlottke-Lakemper
Comments: accepted manuscript
Journal-ref: Comput. Phys. Commun. 318 (2026) 109868
Subjects: Numerical Analysis (math.NA) ; Cryptography and Security (cs.CR) ; Computational Physics (physics.comp-ph)

Data privacy is a significant concern when using numerical simulations for sensitive information such as medical, financial, or engineering data -- especially in untrusted environments like public cloud infrastructures. Fully homomorphic encryption (FHE) offers a promising solution for achieving data privacy by enabling secure computations directly on encrypted data. Aimed at computational scientists, this work explores the viability of FHE-based, privacy-preserving numerical simulations of partial differential equations. The presented approach utilizes the Cheon-Kim-Kim-Song (CKKS) scheme, a widely used FHE method for approximate arithmetic on real numbers. Two Julia packages are introduced, OpenFHE$.$jl and SecureArithmetic$.$jl, which wrap the OpenFHE C++ library to provide a convenient interface for secure arithmetic operations. With these tools, the accuracy and performance of key FHE operations in OpenFHE are evaluated, and implementations of finite difference schemes for solving the linear advection equation with encrypted data are demonstrated. The results show that cryptographically secure numerical simulations are possible, but that careful consideration must be given to the computational overhead and the numerical errors introduced by using FHE. An analysis of the algorithmic restrictions imposed by FHE highlights potential challenges and solutions for extending the approach to other models and methods. While it remains uncertain how broadly the approach can be generalized to more complex algorithms due to CKKS limitations, these findings lay the groundwork for further research on privacy-preserving scientific computing.

[36] arXiv:2502.09584 (replaced) [cn-pdf, pdf, html, other]
Title: Differentially Private Compression and the Sensitivity of LZ77
Jeremiah Blocki, Seunghoon Lee, Brayan Sebastián Yepes Garcia
Comments: 38 pages, 5 figures; Full version of the paper to appear at the Theory of Cryptography Conference (TCC) 2025
Subjects: Computational Complexity (cs.CC) ; Cryptography and Security (cs.CR)

We initiate the study of differentially private data-compression schemes motivated by the insecurity of the popular "Compress-Then-Encrypt" framework. Data compression is a useful tool which exploits redundancy in data to reduce storage/bandwidth when files are stored or transmitted. However, if the contents of a file are confidential then the length of a compressed file might leak confidential information about the content of the file itself. Encrypting a compressed file does not eliminate this leakage as data encryption schemes are only designed to hide the content of confidential message instead of the length of the message. In our proposed Differentially Private Compress-Then-Encrypt framework, we add a random positive amount of padding to the compressed file to ensure that any leakage satisfies the rigorous privacy guarantee of $(\epsilon,\delta)$-differential privacy. The amount of padding that needs to be added depends on the sensitivity of the compression scheme to small changes in the input, i.e., to what degree can changing a single character of the input message impact the length of the compressed file. While some popular compression schemes are highly sensitive to small changes in the input, we argue that effective data compression schemes do not necessarily have high sensitivity. Our primary technical contribution is analyzing the fine-grained sensitivity of the LZ77 compression scheme (IEEE Trans. Inf. Theory 1977) which is one of the most common compression schemes used in practice. We show that the global sensitivity of the LZ77 compression scheme has the upper bound $O(W^{2/3}\log n)$ where $W\leq n$ denotes the size of the sliding window. When $W=n$, we show the lower bound $\Omega(n^{2/3}\log^{1/3}n)$ for the global sensitivity of the LZ77 compression scheme which is tight up to a sublogarithmic factor.

[37] arXiv:2505.15140 (replaced) [cn-pdf, pdf, html, other]
Title: EC-LDA : Label Distribution Inference Attack against Federated Graph Learning with Embedding Compression
Tong Cheng, Jie Fu, Xinpeng Ling, Huifa Li, Zhili Chen, Haifeng Qian, Junqing Gong
Comments: This paper has been accepted by 2025 IEEE International Conference on Data Mining (ICDM 2025)
Journal-ref: ICDM 2025
Subjects: Machine Learning (cs.LG) ; Cryptography and Security (cs.CR)

Graph Neural Networks (GNNs) have been widely used for graph analysis. Federated Graph Learning (FGL) is an emerging learning framework to collaboratively train graph data from various clients. Although FGL allows client data to remain localized, a malicious server can still steal client private data information through uploaded gradient. In this paper, we for the first time propose label distribution attacks (LDAs) on FGL that aim to infer the label distributions of the client-side data. Firstly, we observe that the effectiveness of LDA is closely related to the variance of node embeddings in GNNs. Next, we analyze the relation between them and propose a new attack named EC-LDA, which significantly improves the attack effectiveness by compressing node embeddings. Then, extensive experiments on node classification and link prediction tasks across six widely used graph datasets show that EC-LDA outperforms the SOTA LDAs. Specifically, EC-LDA can achieve the Cos-sim as high as 1.0 under almost all cases. Finally, we explore the robustness of EC-LDA under differential privacy protection and discuss the potential effective defense methods to EC-LDA. Our code is available at https://github.com/cheng-t/EC-LDA.

[38] arXiv:2506.04681 (replaced) [cn-pdf, pdf, html, other]
Title: Urania: Differentially Private Insights into AI Use
Daogao Liu, Edith Cohen, Badih Ghazi, Peter Kairouz, Pritish Kamath, Alexander Knop, Ravi Kumar, Pasin Manurangsi, Adam Sealfon, Da Yu, Chiyuan Zhang
Comments: To appear at COLM 2025
Subjects: Machine Learning (cs.LG) ; Artificial Intelligence (cs.AI) ; Computation and Language (cs.CL) ; Cryptography and Security (cs.CR) ; Computers and Society (cs.CY)

We introduce $Urania$, a novel framework for generating insights about LLM chatbot interactions with rigorous differential privacy (DP) guarantees. The framework employs a private clustering mechanism and innovative keyword extraction methods, including frequency-based, TF-IDF-based, and LLM-guided approaches. By leveraging DP tools such as clustering, partition selection, and histogram-based summarization, $Urania$ provides end-to-end privacy protection. Our evaluation assesses lexical and semantic content preservation, pair similarity, and LLM-based metrics, benchmarking against a non-private Clio-inspired pipeline (Tamkin et al., 2024). Moreover, we develop a simple empirical privacy evaluation that demonstrates the enhanced robustness of our DP pipeline. The results show the framework's ability to extract meaningful conversational insights while maintaining stringent user privacy, effectively balancing data utility with privacy preservation.

[39] arXiv:2508.18811 (replaced) [cn-pdf, pdf, html, other]
Title: Quantum computing on encrypted data with arbitrary rotation gates
Mohit Joshi, Manoj Kumar Mishra, S. Karthikeyan
Subjects: Quantum Physics (quant-ph) ; Cryptography and Security (cs.CR)

An efficient technique of computing on encrypted data allows a client with limited capability to perform complex operations on a remote fault-tolerant server without leaking anything about the input or output. Quantum computing provides information-theoretic security to solve such a problem, and many such techniques have been proposed under the premises of half-blind quantum computation. However, they are dependent on a fixed non-parametric resource set that comprises some universal combination of $H,S,T,CX, CZ$ or $CCX$ gates. In this study, we show that recursive decryption of the parametric gate, $R_z(\theta)$, is possible exactly when $\theta=\pm\pi/2^m$ for $m\in \mathbb{Z^{+}}$, and approximately with arbitrary precision $\epsilon$ for given $\theta$. We also show that a blind algorithm based on such a technique needs at most $O(\log_2^2(\pi/\epsilon))$ computation steps and communication rounds, while the techniques based on a non-parametric resource set require $O(\ln^{3.97}(1/\epsilon))$ rounds. We use these results to propose a universal scheme of half-blind quantum computation for computing on encrypted data using arbitrary rotation gates. This substantial reduction in the depth of blind circuit is an affirmative step towards the practical application of such techniques in secure NISQ-era computing.

Total of 39 entries
Showing up to 2000 entries per page: fewer | more | all