Computer security-- ESORICS 2021 : 26th European Symposium on Research in Commputer Security, Darmstadt, Germany, October 4-8, 2021, proceedings

Preface
Organization
Contents – Part II
Contents – Part I
Encryption
Bestie: Very Practical Searchable Encryption with Forward and Backward Security
	1 Introduction
	2 Background
	3 Construction of Bestie
		3.1 Our Construction
		3.2 An Example of Bestie
	4 Evaluation
		4.1 Implementation
		4.2 Data Description
		4.3 Experimental Results
	5 Other Related Works
	6 Conclusion
	A  Proof of Theorem 1
	References
Geo-DRS: Geometric Dynamic Range Search on Spatial Data with Backward and Content Privacy
	1 Introduction
		1.1 Our Contributions
		1.2 Motivation and Related Works
	2 Building Blocks
		2.1 Notation
		2.2 R-Tree and R+tree
		2.3 Secure Bitwise Comparison
	3 Definitions, Security Notions and Model
		3.1 Syntax of Our Geometric Dynamic Range Search (Geo-DRS+)
		3.2 Generic Dynamic SSE Leakage Functions
		3.3 Range Search Leakage Functions
		3.4 Security Notions and Definitions
		3.5 Security Model
	4 Dynamic Secure Range Search on Encrypted Spatial Data
		4.1 Geo-DRS Scheme
		4.2 Geo-DRS+: Optimised Geometric Dynamic Range Search
	5 Evaluation
	6 Conclusion
	A  Security analysis
	References
Efficient Multi-client Order-Revealing Encryption and Its Applications
	1 Introduction
		1.1 Related Work
	2 Preliminaries
		2.1 Notation
		2.2 Bilinear Maps
		2.3 Complexity Assumption
	3 Property-Preserving Hash
		3.1 PPH from Bilinear Maps
		3.2 Security Analysis
	4 Multi-client Order-Revealing Encryption (m-ORE)
		4.1 Definition of m-ORE
		4.2 m-ORE Scheme from PPH
		4.3 Security Analysis
	5 Multi-client Range Query from m-ORE
		5.1 The Proposed Construction
	6 Experimental Evaluation
		6.1 Setup
		6.2 Evaluation
	7 Conclusion
	A  Security Analysis of Range Query Scheme
	References
Versatile and Sustainable Timed-Release Encryption and Sequential Time-Lock Puzzles (Extended Abstract)
	1 Introduction
	2 Technical Overview and Contributions
	3 Definitions and Constructions of Time Lock-Puzzles
	4 Sequential Time-Lock Puzzles
	5 (Sequential) Timed-Release Encryption
		5.1 Basic TRE Construction
		5.2 Sequential TRE
		5.3 Integrating Timed-Release Features into Functional Encryption
	A Concurrent and Independent Work
	B Applications: Simpler and More Efficient Instantiations
	C On the Necessity of the Gap Sequential Squaring Assumption
	References
Multipath TLS 1.3
	1 Introduction
		1.1 Multipath Key Exchange
		1.2 Our Contribution
	2 Preliminaries
		2.1 Multipath TCP
		2.2 Transport Layer Security
	3 Security Model
		3.1 Overview
		3.2 Security of Multi-path Key Exchange
	4 Multipath Extension for TLS 1.3
		4.1 Protocol
		4.2 Security Assumptions
		4.3 Security
		4.4 Sub Flow Resumption
		4.5 Practical Considerations
	5 Conclusions
	A Transport Layer Security
	References
SyLPEnIoT: Symmetric Lightweight Predicate Encryption for Data Privacy Applications in IoT Environments
	1 Introduction
		1.1 Overview of SyLPEnIoT
		1.2 Our Contributions
	2 Related Work
	3 Background and Assumptions
		3.1 SyLPEnIoT's Model and Threat Model
		3.2 Definitions
	4 Main Constructions in SyLPEnIoT
		4.1 Pseudo-Random Function
		4.2 Symmetric-Key Encryption
		4.3 Construction
	5 Evaluation
		5.1 Microbenchmarks
		5.2 SyLPEnIoT Construction
		5.3 SyLPEnIoT on Ultra Low-Power Devices
	A  Security Proof
	References
Security Analysis of SFrame
	1 Introduction
		1.1 Our Contributions
	2 SFrame
		2.1 Specification
		2.2 Available Implementations
	3 Adversary Models and Security Goals
		3.1 Adversary Models
		3.2 Security Goals of E2EE
		3.3 Security Goals of AEAD for E2EE
		3.4 Security Goals of Hash Functions
	4 Security Analysis
		4.1 Security of AEAD Under SFrame
		4.2 Impersonation Against AES-CM-HMAC with Short Tags
		4.3 Security of AES-CM-HMAC with Long Tags
		4.4 Impersonation Against AES-GCM with Any Long Tags
		4.5 Considerations on Authentication Key Recovery
		4.6 Recommendations
	5 Conclusions
	References
Attribute-Based Conditional Proxy Re-encryption in the Standard Model Under LWE
	1 Introduction
		1.1 Contribution
		1.2 Related Work
		1.3 Organization
	2 Preliminaries
		2.1 Lattice Background
		2.2 Trapdoor and Sampling
		2.3 Key Homomorphism and Vector Decomposition
	3 Model of Attribute-Based CPRE
		3.1 Multi-hop AB-CPRE
		3.2 Single-Hop AB-CPRE
		3.3 Security Notation
	4 Single-Hop AB-CPRE Scheme
		4.1 Technique Review
		4.2 Construction
		4.3 Correctness
		4.4 Security Proof
	5 Extension: Multi-hop AB-CPRE Scheme
		5.1 Construction
		5.2 Correctness and Security Proof
	6 Conclusion
	A Proof for Single-hop AB-CPRE
	B Correctness for Multi-hop AB-CPRE
	C Simulator Algorithms for Multi-hop AB-CPRE
	References
Lattice-Based HRA-secure Attribute-Based Proxy Re-Encryption in Standard Model
	1 Introduction
		1.1 Motivation and Related Works
		1.2 Our Contributions and Future Direction
		1.3 Technical Overview
	2 Preliminaries
	3 Key-Policy Attribute-Based Proxy Re-Encryption
		3.1 Re-Encryption Simulatability
	4 Construction of HRA-secure KP-ABPRE
		4.1 Correctness and Security
	References
Server-Aided Revocable Attribute-Based Encryption Revised: Multi-User Setting and Fully Secure
	1 Introduction
		1.1 Motivation
		1.2 Our Approach
		1.3 Our Contributions
	2 Preliminaries
		2.1 Composite Order Bilinear Groups
		2.2 Access Structures and Linear Secret Sharing
		2.3 Binary Tree
	3 Framework and Security Model
		3.1 Security Model
	4 Construction
	5 Security Analysis
	6 Conclusion
	A  Proof of Lemma 2
	B  Proof of Lemma 4
	C  Proof of Lemma 5
	References
Cryptography
Precomputation for Rainbow Tables has Never Been so Fast
	1 Introduction
	2 Background
		2.1 Rainbow Tables
		2.2 Clean Rainbow Tables
		2.3 Maximum Rainbow Tables
	3 Filtering Chains
		3.1 Preliminary Result on Quantifying Precomputation
		3.2 Intermediary Filtration
		3.3 Filtration in Each Column
		3.4 Filtration in Chosen Columns
	4 Distributing Precomputation
		4.1 Distribution and Filtration
		4.2 Distributed Architecture
		4.3 Estimation of the Precomputation Time
		4.4 Optimal Configuration
	5 Experiments
		5.1 Computing Environments
		5.2 Filtration Implementation
		5.3 Positions of the Filters
		5.4 Considered Parameters
		5.5 Results
	6 Conclusion
	A Proof of Theorem 3
	B Online Phase Improvements and Their Impact on Precomputation
	C Intermediary Filtration
	D Notation Through this Paper
	References
Cache-Side-Channel Quantification and Mitigation for Quantum Cryptography
	1 Introduction
	2 Basic Notions and Notation
		2.1 Cache-Side-Channel Quantification
		2.2 Quantum Key Distribution
	3 Analysis for Cache-Side-Channel Quantification
		3.1 Execution Model
		3.2 Abstract Reachability Analysis
		3.3 Automation Through Tool Support
	4 Practical Evaluation
	5 Vulnerability in the QKD Implementation
	6 Security of the Hardened Implementation
	7 Combining Rewriting and Privacy Amplification
	8 Related Work
	9 Conclusion
	References
Genetic Algorithm Assisted State-Recovery Attack on Round-Reduced Xoodyak
	1 Introduction
	2 Preliminaries
		2.1 Notations
		2.2 Xoodoo
		2.3 Xoodyak
	3 Related Works
	4 Remodel Xoodoo
		4.1 Remodel Linear Layer
		4.2 Remodel Non-linear Layer
		4.3 Assemble into Xoodoo'
	5 State-Recovery Attack on Round-Reduced Xoodyak
		5.1 4/5-Round Attack Against Xoodyak
		5.2 Extended to 5/6-Round
		5.3 Attack Against Xoodyak Under the Nonce-Reuse Setting
	6 Conclusion
	References
Moving the Bar on Computationally Sound Exclusive-Or
	1 Introduction
	2 Background and Related Work
	3 Symbolic Preliminaries
	4 Symbolic and Computational Models
		4.1 The Computational Model
		4.2 Relationship Between Computational and Symbolic Models
		4.3 MOO Cryptosystems and Symbolic Histories
	5 MOO Games and Security Proofs
		5.1 MOO Games Grstr and Grsymb
		5.2 Conditions Implying IND$-CPA Security
	6 Using Our Results to Analyze Modes
	7 Conclusion and Open Problems
	References
Optimal Verifiable Data Streaming Protocol with Data Auditing
	1 Introduction
		1.1 Our Contribution
		1.2 Related Work
		1.3 Organization
	2 Preliminaries
		2.1 Notations
		2.2 Bilinear Groups and CDH Assumption
		2.3 Groups of Unknown Order and RSA Accumulator
		2.4 Hashing to Primes
	3 Verifiable and Auditable Data Streaming Protocol
	4 The Construction of VADS
		4.1 Overview
		4.2 The Construction
	5 Performance Analysis
	6 Conclusion
	References
One-More Unforgeability of Blind ECDSA
	1 Introduction
		1.1 ECDSA-ROS Attack on Blind ECDSA
		1.2 Generic Construction
		1.3 Algebraic Bijective Random Oracle Model
		1.4 Security Proof of Blind ECDSA
		1.5 Related Work
	2 Preliminaries
		2.1 ECDSA
		2.2 Blind Signature
	3 Algebraic Bijective Random Oracle Model
		3.1 AGM and BRO
		3.2 Algebraic Bijective Random Oracle Model
	4 Blind ECDSA
		4.1 Building Blocks
		4.2 Construction
		4.3 Assumptions
		4.4 Security Proof
		4.5 EUF-CMA Security of ECDSA in the ABRO Model
	5 Hardness of the ECDSA-ROS Problem
	6 Conclusion
	A  Comparison with Existing Blind ECDSA Protocols
	B  Blindness
		B.1  Security Model of Blindness
		B.2  Security Proof of Blindness
	References
MPC-in-Multi-Heads: A Multi-Prover Zero-Knowledge Proof System
	1 Introduction
		1.1 Related Works
	2 Preliminaries
		2.1 Basic Notations
		2.2 Secure Computation
		2.3 Helper Functionalities
	3 Multi-Prover Zero-Knowledge
		3.1 Relation and Language
		3.2 Proof System Syntax
		3.3 Formal Definition
		3.4 Public-Coin and Non-interactive Proof
	4 MPC-in-Multi-Heads: A Black-Box Construction from MPC
		4.1 Intuitions
		4.2 Protocol Description
		4.3 Instantiation with Different Inner Protocols
	5 Implementation and Experimental Results
	6 Conclusion and Future Directions
	A  Missing Proofs
	References
Complexity and Performance of Secure Floating-Point Polynomial Evaluation Protocols
	1 Introduction
	2 Secure Floating-Point Arithmetic
	3 Secure Polynomial Evaluation
		3.1 Generic Protocols for Secure Polynomial Evaluation
		3.2 Optimized Protocols for Polynomials Defined by Coefficients
		3.3 Optimized Protocols for Polynomials Defined by Roots
	4 Performance Measurements
	5 Conclusions
	References
SERVAS! Secure Enclaves via RISC-V Authenticryption Shield
	1 Introduction
	2 Challenges of Memory Isolation
	3 RISC-V Authenticryption Shield (RVAS)
		3.1 RVAS Tweak Design
		3.2 Solving the Challenges
	4 SERVAS
		4.1 Threat Model
		4.2 Enclave Life Cycle
		4.3 Enclave Memory Management
	5 SERVAS Implementation Details
		5.1 Instruction Set Extension
		5.2 Tweak
		5.3 Page Types
		5.4 Security Monitor (SM)
		5.5 Caching
		5.6 Encryption Bypass Optimization
	6 Security Analysis
		6.1 Attacks on Physical Memory
		6.2 Attacks on Virtual Memory
	7 Evaluation
		7.1 Performance Overhead
		7.2 Hardware Overhead
		7.3 Prototype Limitations
	8 Related Work
	9 Future Work
	10 Conclusion
	A Detailed Evaluation Results
	References
Privacy
Privacy-Preserving Gradient Descent for Distributed Genome-Wide Analysis
	1 Introduction
	2 System Design
		2.1 Frag Overview
		2.2 Attacker Model and Assumptions
	3 Privacy-Preserving Gradient Descent
	4 Modeling Attacks for Privacy Analysis
		4.1 Modeling the LFS Attack
		4.2 Modeling the Genotype Imputation
	5 Analysis of Privacy Preservation
		5.1 The Collection-Level Analysis
		5.2 The Individual-Level Analysis
	6 Performance Evaluation
	7 Discussion
	8 Related Work
	9 Conclusion
	A Notation Table
	B Functionalities in Genome-Wide Analysis
	References
Privug: Using Probabilistic Programming for Quantifying Leakage in Privacy Risk Analysis
	1 Introduction
	2 Overview
	3 Privug
	4 Evaluation
	5 Related Work and Concluding Remarks
	References
Transparent Electricity Pricing with Privacy
	1 Introduction
	2 Electricity Pricing
	3 System and Security Model
		3.1 Security Model
		3.2 Security Properties
	4 Baseline Protocol
		4.1 Preliminaries
		4.2 Instantiation
		4.3 Security Analysis
		4.4 Performance Analysis
		4.5 Discussion
	5 Merkle Tree Protocol
		5.1 Overview
		5.2 Instantiation
		5.3 Security Analysis
		5.4 Performance Analysis
	6 Implementation
	7 Related Work
	8 Conclusions
	References
CoinJoin in the Wild
	1 Introduction
		1.1 Empirical Analysis of Anonymity
		1.2 Cookie Monster Mixing
		1.3 Responsible Disclosure
		1.4 Related Work
	2 Preliminaries
		2.1 Transaction
		2.2 Multi-Input Heuristic
		2.3 CoinJoin
		2.4 Cluster-Intersection Attack
	3 Dash
		3.1 Overview
		3.2 PrivateSend
	4 Empirical Anonymity Analysis
		4.1 Transaction Type Detection
		4.2 Backlink Attack
		4.3 DC Attack
	5 Enhancing Privacy of Mixing
		5.1 Preventing backlinks
		5.2 Cookie Monster Mixing
	A Differences in the Analysis in Bitcoin
	B Limitations to Arbitrary-Value Mixing
	References
One-Time Traceable Ring Signatures
	1 Introduction
		1.1 Our Contribution
		1.2 Our Technique
		1.3 Performance Comparison
	2 Related Work
	3 Definitions
		3.1 One-Time Traceable Ring Signatures
	4 One-Time Traceable Ring Signature Scheme
	References
PACE with Mutual Authentication – Towards an Upgraded eID in Europe
	1 Introduction
		1.1 Role of eIDs
		1.2 New Regulations for eIDs
		1.3 Rationale for Including Mutual Authentication
		1.4 Other extensions and Modifications of PACE
	2 PACE with Mutual Authentication
		2.1 PACE with Mutual Authentication
		2.2 A Lightweight Version
		2.3 Backwards Compatibility
	3 Security and Privacy Issues
		3.1 Fragility
		3.2 Protection of Secrets
		3.3 Impersonation
		3.4 Security of the Session Key
		3.5 Resistance to Tracing
		3.6 Simultability
	4 PACE-MA Versus PACE-CAM
	References
Differential Privacy
Secure Random Sampling in Differential Privacy
	1 Introduction
	2 Background
		2.1 Floating Point Numbers
		2.2 Random Number Sampling
		2.3 Mironov Attack
		2.4 Gaussian Attack
		2.5 Existing Defences
	3 General Principles
	4 Divisibility of Probability Distributions
		4.1 Preliminaries
		4.2 Gaussian Distribution
		4.3 Laplace Distribution
	5 Sampling Implementations
		5.1 Gaussian Sampling
		5.2 Laplace Sampling
		5.3 Choosing n
	6 Gaussian Attack Complexity
	7 Related Work
	8 Conclusion
	A  Probability Density Functions
		A.1  Uniform Distribution
		A.2  Gaussian Distribution
		A.3  Laplace Distribution
		A.4  Exponential Distribution
		A.5  Gamma Distribution
		A.6  Chi-Squared Distribution
	B Code Samples
		B.1  Naïve Sampling
		B.2  Theorem 1 Sampling
		B.3  Sampling with math and random
		B.4  Sampling with Numpy
	References
Training Differentially Private Neural Networks with Lottery Tickets
	1 Introduction
	2 Preliminaries
		2.1 Differential Privacy
		2.2 Lottery Ticket Hypothesis
	3 Differentially Private Lottery Ticket Hypothesis
		3.1 Overview
		3.2 DPLTH Walkthrough
		3.3 Differential Privacy Guarantees of DPLTH
		3.4 Discussion
	4 Experiments
		4.1 Datasets
		4.2 Competitor
		4.3 Setup
		4.4 Main Comparison
		4.5 Convergence and Early Stopping
		4.6 Investigating the Score Function
		4.7 Robustness to P
	5 Related Work
	6 Conclusion
	References
Locality Sensitive Hashing with Extended Differential Privacy
	1 Introduction
	2 Related Work
		2.1 Extended DP
		2.2 Privacy-Preserving Friend Matching
		2.3 Privacy-Preserving LSH
	3 Preliminaries
		3.1 Locality Sensitive Hashing (LSH)
		3.2 Examples of LSHs
		3.3 Approximate Nearest Neighbor Search
		3.4 Privacy Measures and Privacy Mechanisms
	4 Privacy Properties of LSH
	5 LSH-Based Privacy Mechanisms
	6 Privacy Analyses of the Mechanisms
		6.1 LSHRR's Privacy W.r.t. the Particular LSH Function
		6.2 LSHRR's Privacy W.r.t. the Distribution of LSH Functions
		6.3 Privacy Guarantee for LapLSH
	7 Experimental Evaluation
		7.1 Datasets and Experimental Setup
		7.2 Comparing Privacy and Utility
		7.3 Experimental Results
		7.4 Inapplicability of the RAPPOR
	8 Conclusion
	A Total Privacy Budgets in Extended DP and LDP
	B More Details on the Privacy Analyses
	References
Zero Knowledge
MLS Group Messaging: How Zero-Knowledge Can Secure Updates
	1 Introduction
	2 Backgrounds
	3 MLS Updates
		3.1 Message Layer Security
		3.2 Securing MLS Updates
	4 ZK for a PRF on Committed Input and Output
		4.1 ComInOutZK: A Bit-Wise Solution
		4.2 A Second Solution: CopraZK
	5 Conclusion
	A Key Size and Group Orders in MLS Updates
	B Security of Our Zero-Knowledge Protocols
	References
More Efficient Amortization of Exact Zero-Knowledge Proofs for LWE
	1 Introduction
		1.1 Prior Work
		1.2 Our Results
		1.3 Technical Overview
	2 Preliminaries
	3 Basic Protocol
		3.1 Proof Size and Concrete Parameter Choices
	4 Amortized Protocol for a Fixed Public Randomness
		4.1 Proof Size
	A The Hiding Property of Reed-Solomon Codes
	References
Zero Knowledge Contingent Payments for Trained Neural Networks
	1 Introduction
	2 Preliminaries
	3 Design Overview
	4 Instantiation
		4.1 zk-SNARKs-Based Solution
		4.2 Libra-Based Solution
	5 Security Analysis
	6 Implementation and Experiments
	7 Related Work
	8 Conclusion
	A The Main Building Blocks of Libra
	B Proof of Theorem 1
	References
Key Exchange
Identity-Based Identity-Concealed Authenticated Key Exchange
	1 Introduction
	2 Preliminaries
		2.1 Notation
		2.2 Bilinear Pairings and Assumptions
		2.3 Authenticated Encryption
	3 Security Model
		3.1 System and Adversary Setting
		3.2 Definition of Security
	4 Construction of IB-CAKE Protocol
	5 Security Analysis of IB-CAKE
		5.1 Proof of Label Security
		5.2 Proof of ID-Concealed Session-Key Security
	6 Comparison and Implementation
	A Structures of IB-CAKE Protocol with Asymmetric Bilinear Pairing
		A.1 Protocol Structure with Bilinear Pairing of Type-II
		A.2 Protocol Structure with Bilinear Pairing of Type-III
	B Review of the TFNS19-Protocol
	References
Privacy-Preserving Authenticated Key Exchange: Stronger Privacy and Generic Constructions
	1 Introduction
	2 On Modeling Privacy in AKE
		2.1 What Can(not) Be Handled by PPAKE
		2.2 Privacy Goals in PPAKE
	3 Our PPAKE Model
		3.1 Security Model
		3.2 Relation Between Privacy Notions
		3.3 Discussion and Limitations of Our PPAKE Model
	4 Constructing PPAKE with Strong Privacy
		4.1 Achieving Weak MITM Private PPAKE Using Shared Secrets
		4.2 Generic Construction of Strongly MITM Private PPAKE
		4.3 Two-Move PPAKE Protocol Without Forward Privacy
	5 Discussion and Future Work
	References
Multi-party Computation
Correlated Randomness Teleportation via Semi-trusted Hardware—Enabling Silent Multi-party Computation
	1 Introduction
	2 Preliminaries
	3 Security Model
		3.1 Semi-trusted Hardware Model
	4 Correlated Randomness Teleportation
		4.1 Random OT Teleportation
		4.2 GC Teleportation with Applications to Silent 2PC
	5 Security
	6 Implementation and Benchmarks
	7 Related Work
	8 Conclusion
	A Appendix
		A.1 Security Proof of Our Main Theorems
	References
Polynomial Representation Is Tricky: Maliciously Secure Private Set Intersection Revisited
	1 Introduction
	2 Related Work
	3 Background
		3.1 Representing Sets by Polynomials
		3.2 Oblivious Linear Function Evaluation
		3.3 Oblivious Polynomial Addition
		3.4 Two-Party PSI
	4 Attack 1: Making Honest Party Learn Incorrect Result
		4.1 Attack Description
		4.2 Attack Analysis
		4.3 Candidate Mitigation
	5 Attack 2: Learning Honest Party's Element Beyond the Intersection
		5.1 Attack Description
		5.2 Attack Analysis
		5.3 Candidate Mitigations
	6 Attack 3: Deleting Honest Party's Set Elements
		6.1 Attack Description
		6.2 Attack Analysis
		6.3 Candidate Mitigation
	7 Conclusion and Future Work
	A  Identified Flaws In The Security Proofs
		A.1  Class 1: Not All Checks Have Been Included
		A.2  Class 2: Incomplete Simulator
		A.3  Class 3: Incomplete Definition Of Malformed Input
	B  Attack 3 Theorems
	References
Posters
RIoTPot: A Modular Hybrid-Interaction IoT/OT Honeypot
	1 Introduction
	2 RIoTPot Design
	3 Preliminary Results
	4 Conclusion
	References
Towards Automatically Generating Security Analyses from Machine-Learned Library Models
	1 Introduction and Motivation
	2 Vision
		2.1 Phase 1: Generate Library Models
		2.2 Phase 2: Generate Security Analyses
	3 Experiments and Preliminary Results
	4 Related Work
	5 Conclusion and Future Work
	References
Jamming of NB-IoT Synchronisation Signals
	1 Introduction
	2 The UE and eNodeB Synchronisation Process
	3 Jamming the NB-IoT Synchronization Process
	4 Jamming Evaluation
	5 Conclusions
	References
TPRou: A Privacy-Preserving Routing for Payment Channel Networks
	1 Introduction
	2 Our Design
	3 Security Analysis
	4 Performance Evaluation
	5 Conclusion
	References
Determining Asset Criticality in Cyber-Physical Smart Grid
	Abstract
	1 Introduction: Context and Motivation
	2 Related Work
	3 Approach
		3.1 System Model and Simulation Scenario
		3.2 Proposed Method
	4 Experimental Results and Evaluation
		4.1 System Operations Under No Attack Scenario
		4.2 System Operations Under Attack Scenario
	5 Conclusion and Future Work
	References
Signature-in-Signature: The Last Line of Defence in Case of Signing Key Compromise
	1 Example Sig-in-Sig Scheme
	A Appendix
	References
Author Index