ICT Systems Security and Privacy

Protection 30th IFIP TC 11 International

Conference SEC 2015 Hamburg
Germany May 26 28 2015 Proceedings
1st Edition Hannes Federrath
Visit to download the full and correct content document:
https://textbookfull.com/product/ict-systems-security-and-privacy-protection-30th-ifip-t
c-11-international-conference-sec-2015-hamburg-germany-may-26-28-2015-proceedi
ngs-1st-edition-hannes-federrath/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Trust Management IX 9th IFIP WG 11 11 International

Conference IFIPTM 2015 Hamburg Germany May 26 28 2015
Proceedings 1st Edition Christian Damsgaard Jensen

https://textbookfull.com/product/trust-management-ix-9th-ifip-
wg-11-11-international-conference-ifiptm-2015-hamburg-germany-
may-26-28-2015-proceedings-1st-edition-christian-damsgaard-
jensen/

Computer Science and Its Applications 5th IFIP TC 5

International Conference CIIA 2015 Saida Algeria May 20
21 2015 Proceedings 1st Edition Abdelmalek Amine

https://textbookfull.com/product/computer-science-and-its-
applications-5th-ifip-tc-5-international-conference-
ciia-2015-saida-algeria-may-20-21-2015-proceedings-1st-edition-
abdelmalek-amine/

Codes Cryptology and Information Security First

International Conference C2SI 2015 Rabat Morocco May 26
28 2015 Proceedings In Honor of Thierry Berger 1st
Edition Said El Hajji
https://textbookfull.com/product/codes-cryptology-and-
information-security-first-international-
conference-c2si-2015-rabat-morocco-may-26-28-2015-proceedings-in-
honor-of-thierry-berger-1st-edition-said-el-hajji/

Health Information Science 4th International Conference

HIS 2015 Melbourne Australia May 28 30 2015 Proceedings
1st Edition Xiaoxia Yin

https://textbookfull.com/product/health-information-science-4th-
international-conference-his-2015-melbourne-australia-
may-28-30-2015-proceedings-1st-edition-xiaoxia-yin/
Open Source Systems Adoption and Impact 11th IFIP WG 2
13 International Conference OSS 2015 Florence Italy May
16 17 2015 Proceedings 1st Edition Ernesto Damiani

https://textbookfull.com/product/open-source-systems-adoption-
and-impact-11th-ifip-wg-2-13-international-conference-
oss-2015-florence-italy-may-16-17-2015-proceedings-1st-edition-
ernesto-damiani/

Information Theoretic Security 8th International

Conference ICITS 2015 Lugano Switzerland May 2 5 2015
Proceedings 1st Edition Anja Lehmann

https://textbookfull.com/product/information-theoretic-
security-8th-international-conference-icits-2015-lugano-
switzerland-may-2-5-2015-proceedings-1st-edition-anja-lehmann/

Analytical and Stochastic Modelling Techniques and

Applications 22nd International Conference ASMTA 2015
Albena Bulgaria May 26 29 2015 Proceedings 1st Edition
Marco Gribaudo
https://textbookfull.com/product/analytical-and-stochastic-
modelling-techniques-and-applications-22nd-international-
conference-asmta-2015-albena-bulgaria-
may-26-29-2015-proceedings-1st-edition-marco-gribaudo/

Information Security Practice and Experience 11th

International Conference ISPEC 2015 Beijing China May 5
8 2015 Proceedings 1st Edition Javier Lopez

https://textbookfull.com/product/information-security-practice-
and-experience-11th-international-conference-ispec-2015-beijing-
china-may-5-8-2015-proceedings-1st-edition-javier-lopez/

End User Development 5th International Symposium IS EUD

2015 Madrid Spain May 26 29 2015 Proceedings 1st
Edition Paloma Díaz

https://textbookfull.com/product/end-user-development-5th-
international-symposium-is-eud-2015-madrid-spain-
may-26-29-2015-proceedings-1st-edition-paloma-diaz/
 IFIP AICT 455
Hannes Federrath
Dieter Gollmann
(Eds.)

ICT Systems Security

and Privacy Protection

30th IFIP TC 11 International Conference, SEC 2015

Hamburg, Germany, May 26–28, 2015
Proceedings

123
IFIP Advances in Information
and Communication Technology 455

Editor-in-Chief

Kai Rannenberg, Goethe University Frankfurt, Germany

Editorial Board
Foundation of Computer Science
Jacques Sakarovitch, Télécom ParisTech, France
Software: Theory and Practice
Michael Goedicke, University of Duisburg-Essen, Germany
Education
Arthur Tatnall, Victoria University, Melbourne, Australia
Information Technology Applications
Erich J. Neuhold, University of Vienna, Austria
Communication Systems
Aiko Pras, University of Twente, Enschede, The Netherlands
System Modeling and Optimization
Fredi Tröltzsch, TU Berlin, Germany
Information Systems
Jan Pries-Heje, Roskilde University, Denmark
ICT and Society
Diane Whitehouse, The Castlegate Consultancy, Malton, UK
Computer Systems Technology
Ricardo Reis, Federal University of Rio Grande do Sul, Porto Alegre, Brazil
Security and Privacy Protection in Information Processing Systems
Yuko Murayama, Iwate Prefectural University, Japan
Artificial Intelligence
Tharam Dillon, Curtin University, Bentley, Australia
Human-Computer Interaction
Jan Gulliksen, KTH Royal Institute of Technology, Stockholm, Sweden
Entertainment Computing
Matthias Rauterberg, Eindhoven University of Technology, The Netherlands
IFIP – The International Federation for Information Processing
IFIP was founded in 1960 under the auspices of UNESCO, following the First World
Computer Congress held in Paris the previous year. An umbrella organization for soci-
eties working in information processing, IFIP’s aim is two-fold: to support information
processing within its member countries and to encourage technology transfer to devel-
oping nations. As its mission statement clearly states,

IFIP’s mission is to be the leading, truly international, apolitical organization which

encourages and assists in the development, exploitation and application of
information technology for the benefit of all people.

IFIP is a non-profitmaking organization, run almost solely by 2500 volunteers. It

operates through a number of technical committees, which organize events and publi-
cations. IFIP’s events range from an international congress to local seminars, but the
most important are:

• The IFIP World Computer Congress, held every second year;

• Open conferences;
• Working conferences.

The flagship event is the IFIP World Computer Congress, at which both invited and
contributed papers are presented. Contributed papers are rigorously refereed and the
rejection rate is high.
As with the Congress, participation in the open conferences is open to all and papers
may be invited or submitted. Again, submitted papers are stringently refereed.
The working conferences are structured differently. They are usually run by a work-
ing group and attendance is small and by invitation only. Their purpose is to create an
atmosphere conducive to innovation and development. Refereeing is also rigorous and
papers are subjected to extensive group discussion.
Publications arising from IFIP events vary. The papers presented at the IFIP World
Computer Congress and at open conferences are published as conference proceedings,
while the results of the working conferences are often published as collections of se-
lected and edited papers.
Any national society whose primary activity is about information processing may
apply to become a full member of IFIP, although full membership is restricted to one
society per country. Full members are entitled to vote at the annual General Assembly,
National societies preferring a less committed involvement may apply for associate or
corresponding membership. Associate members enjoy the same benefits as full mem-
bers, but without voting rights. Corresponding members are not represented in IFIP
bodies. Affiliated membership is open to non-national societies, and individual and hon-
orary membership schemes are also offered.

More information about this series at http://www.springer.com/series/6102

Hannes Federrath · Dieter Gollmann (Eds.)

ICT Systems Security

and Privacy Protection
30th IFIP TC 11 International Conference, SEC 2015
Hamburg, Germany, May 26–28, 2015
Proceedings

ABC
Editors
Hannes Federrath Dieter Gollmann
Universität Hamburg Technische Universität Hamburg-Harburg
Hamburg Hamburg
Germany Germany

ISSN 1868-4238 ISSN 1868-422X (electronic)

IFIP Advances in Information and Communication Technology
ISBN 978-3-319-18466-1 ISBN 978-3-319-18467-8 (eBook)
DOI 10.1007/978-3-319-18467-8

Library of Congress Control Number: 2015937365

Springer Cham Heidelberg New York Dordrecht London

c IFIP International Federation for Information Processing 2015
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information stor-
age and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made.

Printed on acid-free paper

Springer International Publishing AG Switzerland is part of Springer Science+Business Media
(www.springer.com)
 Preface

These proceedings contain the papers presented at the 30th IFIP International Informa-
tion Security and Privacy Conference (SEC 2015), hosted in Hamburg, Germany, May
26–28, 2015.
IFIP SEC conferences are the flagship events of the International Federation for
Information Processing (IFIP) Technical Committee 11 on Information Security and
Privacy Protection in Information Processing Systems (TC-11).
In response to the call for papers, 232 papers were submitted to the conference,
of which 20 were withdrawn by the authors. Thus, 212 papers were distributed to the
reviewers. These papers were evaluated on the basis of their significance, novelty, and
technical quality.
Using EasyChair, each paper was reviewed by four members of the Program Com-
mittee and Additional Reviewers. The Program Committee meeting was held electron-
ically with a discussion period of one week. Of the papers submitted, 42 full papers
were accepted for presentation at the conference.
We wish to thank the 126 Program Committee members and the 180 additional re-
viewers for their great effort in managing the unexpected quantity and variety of the
papers submitted to IFIP SEC 2015. Additionally, we thank all authors for their sub-
missions and contributions to the conference.
We thank the University of Hamburg for hosting this conference, HITeC e.V. for
their organizational support, and all people who spent their time on various organization
tasks in the background and at the conference desk. A very special thank is dedicated
to the Organizing Chair Dominik Herrmann.

March 2015 Hannes Federrath

Dieter Gollmann
 Organization

IFIP SEC 2015 was organized by the Department of Computer Science, University of
Hamburg, Germany.

General Chairs
Kai Rannenberg Goethe-Universität Frankfurt, Germany
Steven Furnell Plymouth University, UK

Program Chairs
Hannes Federrath University of Hamburg, Germany
Dieter Gollmann Technische Universität Hamburg-Harburg,
Germany

Organizing Chair
Dominik Herrmann University of Hamburg, Germany

Program Committee
Luca Allodi University of Trento, Italy
Frederik Armknecht University of Mannheim, Germany
Vijay Atluri Rutgers University, USA
Matt Bishop University of California, Davis, USA
Joan Borrell Universitat Autònoma de Barcelona, Spain
Joppe W. Bos NXP Semiconductors, Belgium
Christina Brzuska Microsoft Research, UK
Rainer Böhme University of Münster, Germany
William Caelli International Information Security Consultants
Pty Ltd, Australia
Jan Camenisch IBM Research, Zurich, Switzerland
Iliano Cervesato Carnegie Mellon University, USA
Eric Chan-Tin Oklahoma State University, USA
Nathan Clarke Plymouth University, UK
Frédéric Cuppens Télécom Bretagne, France
Nora Cuppens-Boulahia Télécom Bretagne, France
VIII Organization

Ernesto Damiani Università degli Studi di Milano, Italy

Sabrina De Capitani di Vimercati Università degli Studi di Milano, Italy
Bart De Decker Katholieke Universiteit Leuven, Belgium
Mourad Debbabi Concordia University, Canada
Andreas Dewald Friedrich-Alexander-Universität
Erlangen-Nürnberg (FAU), Germany
Gurpreet Dhillon Virginia Commonwealth University, USA
Theo Dimitrakos Security Research Centre, BT Group CTO, UK
Jana Dittmann University of Magdeburg, Germany
Ronald Dodge United States Military Academy, USA
Josep Domingo-Ferrer Universitat Rovira i Virgili, Spain
Paul Dowland Plymouth University, UK
Hannes Federrath University of Hamburg, Germany
Simone Fischer-Hübner Karlstad University, Sweden
William Michael Fitzgerald United Technologies Research Centre, Ireland
Sara Foresti Università degli Studi di Milano, Italy
Felix Freiling Friedrich-Alexander-Universität
Erlangen-Nürnberg (FAU), Germany
Lothar Fritsch Norsk Regnesentral - Norwegian Computing
Center, Norway
Steven Furnell Plymouth University, UK
Lynn Futcher Nelson Mandela Metropolitan University,
South Africa
Deepak Garg Max Planck Institute for Software Systems,
Germany
Dieter Gollmann Technische Universität Hamburg-Harburg,
Germany
Stefanos Gritzalis University of the Aegean, Greece
Marit Hansen Unabhängiges Landeszentrum für Datenschutz
Schleswig-Holstein, Germany
Karin Hedström Örebro University, Sweden
Andreas Heinemann Hochschule Darmstadt, Germany
Dominik Herrmann University of Hamburg, Germany
Alejandro Hevia University of Chile, Chile
Jaap-Henk Hoepman Radboud University Nijmegen, The Netherlands
Ralph Holz NICTA, Australia
Xinyi Huang Fujian Normal University, China
Sushil Jajodia George Mason University, USA
Lech Janczewski The University of Auckland, New Zealand
Christian Damsgaard Jensen Technical University of Denmark, Denmark
Thomas Jensen Inria, France
Martin Johns SAP Research, Germany
Wouter Joosen Katholieke Universiteit Leuven, Belgium
Audun Jøsang University of Oslo, Norway
 Organization IX

Sokratis Katsikas University of Piraeus, Greece

Stefan Katzenbeisser Technische Universität Darmstadt, Germany
Florian Kerschbaum SAP Research, Germany
Dogan Kesdogan University of Regensburg, Germany
Kwangjo Kim KAIST, South Korea
Valentin Kisimov University of National and World Economy,
Bulgaria
Zbigniew Kotulski Warsaw University of Technology, Poland
Stefan Köpsell Technische Universität Dresden, Germany
Peter Lambert Australian Defence Science and Technology
Organisation
Christof Leng International Computer Science Institute, USA
Luigi Logrippo Université du Québec en Outaouais, Canada
Javier Lopez University of Málaga, Spain
Emil Lupu Imperial College London, UK
Heiko Mantel Technische Universität Darmstadt, Germany
Stephen Marsh University of Ontario Institute of Technology,
Canada
Fabio Martinelli IIT-CNR, Italy
Michael Meier University of Bonn, Germany
Erik Moore Regis University, USA
Martin Mulazzani SBA Research, Austria
Yuko Murayama Iwate Prefectural University, Japan
Vincent Naessens Katholieke Universiteit Leuven, Belgium
Kara Nance University of Alaska Fairbanks, USA
Eiji Okamoto University of Tsukuba, Japan
Federica Paci University of Trento, Italy
Jakob Illeborg Pagter Security Lab, The Alexandra Institute Ltd,
Denmark
Sebastian Pape Technische Universität Dortmund, Germany
Malcolm Pattinson The University of Adelaide, Australia
Philippos Peleties USB BANK PLC, Cyprus
Günther Pernul University of Regensburg, Germany
Gilbert Peterson US Air Force Institute of Technology, USA
Joachim Posegga University of Passau, Germany
Kai Rannenberg Goethe-Universität Frankfurt, Germany
Indrajit Ray Colorado State University, USA
Indrakshi Ray Colorado State University, USA
Konrad Rieck University of Göttingen, Germany
Carlos Rieder isec ag, Luzern, Switzerland
Yves Roudier EURECOM, France
Mark Ryan University of Birmingham, UK
P.Y.A. Ryan University of Luxembourg, Luxembourg
Pierangela Samarati Università degli Studi di Milano, Italy
Thierry Sans Carnegie Mellon University, USA
X Organization

Damien Sauveron XLIM/UMR University of Limoges, France

Ingrid Schaumüller-Bichl University of Applied Sciences Upper Austria,
Austria
Björn Scheuermann Humboldt University of Berlin, Germany
Sebastian Schinzel Münster University of Applied Sciences, Germany
Guido Schryen University of Regensburg, Germany
Joerg Schwenk Ruhr-Universität Bochum, Germany
Anne Karen Seip Finanstilsynet, Norway
Jetzabel Serna-Olvera Goethe-Universität Frankfurt, Germany
Abbas Shahim University of Amsterdam, The Netherlands
Haya Shulman Technische Universität Darmstadt, Germany
Adesina Sodiya Federal University of Agriculture, Nigeria
Radu State University of Luxembourg, Luxembourg
Thorsten Strufe Technische Universität Dresden, Germany
Kerry-Lynn Thomson Nelson Mandela Metropolitan University,
South Africa
Bhavani Thuraisingham University of Texas at Dallas, USA
Nils Ole Tippenhauer Singapore University of Technology and Design,
Singapore
Carmela Troncoso Gradiant, Spain
Markus Tschersich Goethe-Universität Frankfurt, Germany
Pedro Veiga University of Lisbon, Portugal
Michael Vielhaber Hochschule Bremerhaven, Germany
Teemupekka Virtanen Ministry of Social Affairs and Health, Finland
Melanie Volkamer Technische Universität Darmstadt, Germany
Rossouw Von Solms Nelson Mandela Metropolitan University,
South Africa
Jozef Vyskoc VaF, Slovak Republic
Lingyu Wang Concordia University, Canada
Christian Weber Ostfalia University of Applied Sciences, Germany
Edgar Weippl Vienna University of Technology, Austria
Steffen Wendzel Fraunhofer FKIE, Germany
Gunnar Wenngren Sweden
Jeff Yan Newcastle University, UK
Zhenxin Zhan Juniper Networks, USA
Alf Zugenmaier Hochschule München, Germany
André Zúquete DETI/IEETA, University of Aveiro, Portugal

Additional Reviewers
Abdali, Jamal Arp, Daniel Bilzhause, Arne
Ahn, Soohyun Bal, Gökhan Bkakria, Anis
Albarakati, Abdullah Barrère, Martín Blanco-Justicia, Alberto
Alcaraz, Cristina Beck, Martin Bottineli, Paul
Aminanto, Muhamad Erza Belgacem, Boutheyna Bou-Harb, Elias
 Organization XI

Boukayoua, Fasyal Johansen, Christian Nikova, Svetla

Boukoros, Spyros Jäschke, Angela Nishioka, Dai
Boulares, Sofiene Kalloniatis, Christos Nordholt, Peter Sebastian
Budurushi, Jurlind Kambourakis, Georgios Nuñez, David
Buhov, Damjan Kasem-Madani, Saffija Octeau, Damien
Caballero, Juan Katos, Vasilios Ølnes, Jon
Calviño, Aida Kaur, Jaspreet Ordean, Mihai
de La Piedra, Antonio Kieseberg, Peter Palomaki, Jussi
De Sutter, Bjorn Kim, Hakju Perner, Matthias
Denzel, Michael Koens, Tommy Pimenidis, Lexi
Diener, Michael Kokolakis, Spyros Pohl, Christoph
Drijvers, Manu Krasnova, Anna Prigent, Nicolas
Drogkaris, Prokopios Krombholz, Katharina Put, Andreas
Engelke, Toralf Kulyk, Oksana Ray, Sujoy
Farcasin, Michael Kunz, Michael Reinfelder, Lena
Fischer, Lars Kurtz, Andreas Reiser, Hans P.
Fitzsimons, Joseph Lackorzynski, Tim Reubold, Jan
Fomichev, Mikhail Lancrenon, Jean Ribes González, Jordi
Freisleben, Bernd Lazrig, Ibrahim Ricci, Sara
Fuchs, Karl-Peter Le, Meixing Richthammer, Christian
Fuchs, Ludwig Lemaire, Laurens Riek, Markus
Garcia, Fuensanta Torres Lindemann, Jens Ringers, Sietse
Garn, Bernhard Liu, Jia Roman, Rodrigo
Gascon, Hugo Liu, Joseph Roos, Stefanie
Gay, Richard Liu, Zhe Roscoe, Bill
Gazeau, Ivan Lortz, Steffen Roth, Christian
Geneiatakis, Dimitris Lueks, Wouter Rothstein Morris, Eric
Gerber, Christoph Mahalanobis, Ayan Sabouri, Ahmad
Gerber, Paul Manzoor, Salman Saito, Yoshia
Gottschlich, Wolfram Marktscheffel, Tobias Samelin, Kai
Grewal, Gurchetan Mayer, Peter Saracino, Andrea
Gruhn, Michael Melissen, Matthijs Schmitz, Christopher
Gudymenko, Ivan Mikhalev, Vasily Schöttle, Pascal
Gutmann, Andreas Mikkelsen, Gert Læssøe Sgandurra, Daniele
Hay, Brian Milutinovic, Milica Simkin, Mark
Heim, Stephan Moataz, Tarik Simos, Dimitris
Hernandez, Julio Morales, Roberto Skjernaa, Berit
Hils, Maximilian Moussa, Bassam Skrobot, Marjan
Hobel, Heidi Mulamba, Dieudonne Soria-Comas, Jordi
Hu, Jinwei Muñoz-González, Luis Starostin, Artem
Härterich, Martin Müller, Tilo Stepien, Bernard
Imran Daud, Malik Najafiborazjani, Parnian Strizhov, Mikhail
Iwaya, Leonardo Netter, Michael Sänger, Johannes
Jakobsen, Thomas P. Neumann, Stephan Tesfay, Welderufael
Jakobsson, Markus Neuner, Sebastian Timchenko, Max
Jensen, Jonas Lindstrøm Nieto, Ana Tomandl, Andreas
XII Organization

Tonejc, Jernej Wang, Ding Yang, Shuzhe

Tzouramanis, Theodoros Wang, Zhan Yasasin, Emrah
Ullrich, Johanna Weber, Alexandra Yesuf, Ahmed Seid
Urquidi, Miguel Weber, Michael Yin, Xucheng
Venkatesan, Sridhar Weishäupl, Eva Yu, Jiangmin
Veseli, Fatbardh Wressnegger, Christian Yu, Jiangshan
Voelzow, Victor Wundram, Martin Zhang, Lei
Vossaert, Jan Yaich, Reda Zhang, Yuexin
Vullers, Pim Yamaguchi, Fabian Zimmer, Ephraim
 Contents

Privacy

O-PSI: Delegated Private Set Intersection on Outsourced Datasets . . . . . . . . 3

Aydin Abadi, Sotirios Terzis, and Changyu Dong

Flexible and Robust Privacy-Preserving Implicit Authentication . . . . . . . . . . 18

Josep Domingo-Ferrer, Qianhong Wu, and Alberto Blanco-Justicia

Towards Relations Between the Hitting-Set Attack and the Statistical

Disclosure Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Dang Vinh Pham and Dogan Kesdogan

POSN: A Personal Online Social Network. . . . . . . . . . . . . . . . . . . . . . . . . 51

Esra Erdin, Eric Klukovich, Gurhan Gunduz, and Mehmet Hadi Gunes

Strategic Noninterference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Wojciech Jamroga and Masoud Tabatabaei

Verifying Observational Determinism . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Jaber Karimpour, Ayaz Isazadeh, and Ali A. Noroozi

Web Security

Cache Timing Attacks Revisited: Efficient and Repeatable Browser History,

OS and Network Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Chetan Bansal, Sören Preibusch, and Natasa Milic-Frayling

Enforcing Usage Constraints on Credentials for Web Applications . . . . . . . . 112

Jinwei Hu, Heiko Mantel, and Sebastian Ruhleder

A Survey of Alerting Websites: Risks and Solutions. . . . . . . . . . . . . . . . . . 126

Amrit Kumar and Cédric Lauradoux

Access Control, Trust and Identity Management

A Generalization of ISO/IEC 24761 to Enhance Remote Authentication

with Trusted Product at Claimant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Asahiko Yamada

Enhancing Passwords Security Using Deceptive Covert Communication . . . . 159

Mohammed H. Almeshekah, Mikhail J. Atallah, and Eugene H. Spafford
XIV Contents

Information Sharing and User Privacy in the Third-party Identity

Management Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Anna Vapen, Niklas Carlsson, Anirban Mahanti, and Nahid Shahmehri
An Iterative Algorithm for Reputation Aggregation in Multi-dimensional
and Multinomial Rating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Mohsen Rezvani, Mohammad Allahbakhsh, Lorenzo Vigentini,
Aleksandar Ignjatovic, and Sanjay Jha

A Comparison of PHY-Based Fingerprinting Methods Used to Enhance

Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Timothy J. Carbino, Michael A. Temple, and Juan Lopez Jr.

Model-Driven Integration and Analysis of Access-control Policies

in Multi-layer Information Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Salvador Martínez, Joaquin Garcia-Alfaro, Frédéric Cuppens,
Nora Cuppens-Boulahia, and Jordi Cabot

Network Security

Authenticated File Broadcast Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Simão Reis, André Zúquete, Carlos Faneca, and José Vieira

Automated Classification of C&C Connections Through Malware

URL Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Nizar Kheir, Gregory Blanc, Hervé Debar, Joaquin Garcia-Alfaro,
and Dingqi Yang

B.Hive: A Zero Configuration Forms Honeypot for Productive

Web Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Christoph Pohl, Alf Zugenmaier, Michael Meier, and Hans-Joachim Hof

Security Management and Human Aspects of Security

Investigation of Employee Security Behaviour: A Grounded

Theory Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Lena Connolly, Michael Lang, and J.D. Tygar

Practice-Based Discourse Analysis of InfoSec Policies . . . . . . . . . . . . . . . . 297

Fredrik Karlsson, Göran Goldkuhl, and Karin Hedström

Understanding Collaborative Challenges in IT Security

Preparedness Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Maria B. Line and Nils Brede Moe

Social Groupings and Information Security Obedience

Within Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Teodor Sommestad
 Contents XV

Attack Trees with Sequential Conjunction . . . . . . . . . . . . . . . . . . . . . . . . . 339

Ravi Jhawar, Barbara Kordy, Sjouke Mauw, Saša Radomirović,
and Rolando Trujillo-Rasua

Enhancing the Security of Image CAPTCHAs Through Noise Addition . . . . 354

David Lorenzi, Emre Uzun, Jaideep Vaidya, Shamik Sural,
and Vijayalakshmi Atluri

Software Security

SHRIFT System-Wide HybRid Information Flow Tracking . . . . . . . . . . . . . 371

Enrico Lovat, Alexander Fromm, Martin Mohr, and Alexander Pretschner

ISboxing: An Instruction Substitution Based Data Sandboxing

for x86 Untrusted Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Liang Deng, Qingkai Zeng, and Yao Liu

Exploit Generation for Information Flow Leaks

in Object-Oriented Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Quoc Huy Do, Richard Bubel, and Reiner Hähnle

Memoized Semantics-Based Binary Diffing with Application

to Malware Lineage Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Jiang Ming, Dongpeng Xu, and Dinghao Wu

Mitigating Code-Reuse Attacks on CISC Architectures

in a Hardware Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Zhijiao Zhang, Yashuai Lü, Yu Chen, Yongqiang Lü, and Yuanchun Shi

Integrity for Approximate Joins on Untrusted Computational Servers . . . . . . 446

Sabrina De Capitani di Vimercati, Sara Foresti, Sushil Jajodia,
Stefano Paraboschi, and Pierangela Samarati

Applied Cryptography

Fast Revocation of Attribute-Based Credentials for Both Users

and Verifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Wouter Lueks, Gergely Alpár, Jaap-Henk Hoepman, and Pim Vullers

Chaotic Chebyshev Polynomials Based Remote User Authentication

Scheme in Client-Server Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Toan-Thinh Truong, Minh-Triet Tran, Anh-Duc Duong, and Isao Echizen

A Secure Exam Protocol Without Trusted Parties . . . . . . . . . . . . . . . . . . . . 495

Giampaolo Bella, Rosario Giustolisi, Gabriele Lenzini,
and Peter Y.A. Ryan
XVI Contents

Mobile and Cloud Services Security

ApkCombiner: Combining Multiple Android Apps to Support

Inter-App Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Li Li, Alexandre Bartel, Tegawendé F. Bissyandé, Jacques Klein,
and Yves Le Traon

Assessment of the Susceptibility to Data Manipulation of Android Games

with In-app Purchases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Francisco Vigário, Miguel Neto, Diogo Fonseca, Mário M. Freire,
and Pedro R.M. Inácio

An Empirical Study on Android for Saving Non-shared Data

on Public Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Xiangyu Liu, Zhe Zhou, Wenrui Diao, Zhou Li, and Kehuan Zhang

The Dual-Execution-Environment Approach: Analysis

and Comparative Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Mohamed Sabt, Mohammed Achemlal, and Abdelmadjid Bouabdallah

On the Privacy, Security and Safety of Blood Pressure

and Diabetes Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Konstantin Knorr, David Aspinall, and Maria Wolters

A Cloud-Based eHealth Architecture for Privacy Preserving

Data Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Alevtina Dubovitskaya, Visara Urovi, Matteo Vasirani, Karl Aberer,
and Michael I. Schumacher

Cyber-physical Systems and Critical Infrastructures Security

Application of a Game Theoretic Approach in Smart Sensor Data

Trustworthiness Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Konstantinos Maraslis, Theodoros Spyridopoulos, George Oikonomou,
Theo Tryfonas, and Mo Haghighi

Securing BACnet’s Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

Jaspreet Kaur, Jernej Tonejc, Steffen Wendzel, and Michael Meier

On the Secure Distribution of Vendor-Specific Keys

in Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Nicolai Kuntze and Carsten Rudolph

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

Privacy
 O-PSI: Delegated Private Set Intersection
on Outsourced Datasets

Aydin Abadi, Sotirios Terzis, and Changyu Dong(B)

Department of Computer and Information Sciences,

University of Strathclyde, Glasgow, UK
{aydin.abadi,sotirios.terzis,changyu.dong}@strath.ac.uk

Abstract. Private set intersection (PSI) has a wide range of applica-

tions such as privacy-preserving data mining. With the advent of cloud
computing it is now desirable to take advantage of the storage and com-
putation capabilities of the cloud to outsource datasets and delegate PSI
computation. In this paper we design O-PSI, a protocol for delegated pri-
vate set intersection on outsourced datasets based on a novel point-value
polynomial representation. Our protocol allows multiple clients to inde-
pendently prepare and upload their private datasets to a server, and then
ask the server to calculate their intersection. The protocol ensures that
intersections can only be calculated with the permission of all clients
and that datasets and results remain completely confidential from the
server. Once datasets are outsourced, the protocol supports an unlim-
ited number of intersections with no need to download them or prepare
them again for computation. Our protocol is efficient and has computa-
tion and communication costs linear to the cardinality of the datasets.
We also provide a formal security analysis of the protocol.

1 Introduction
Cloud computing allows clients with limited computation and storage capabili-
ties to outsource their private data and at a later time, ask the cloud to perform
computation on them. Delegation of data storage and computation to the cloud
has become common practice for individuals and big enterprises alike [1,2]. As
a result, often the need arises for clients to perform computation on their out-
sourced private data jointly, ideally without the need to download the data.
In this paper, we consider a particular such scenario, in which the private
data take the form of sets and the computation of interest is set intersection, i.e.
private set intersection (PSI).
In PSI, two parties want to find out the intersection of their sets and also
want to prevent the other party from finding out anything more about their own
set than the elements of the intersection. In general, PSI captures a wide range
of real-world applications such as privacy preserving data mining [3], homeland
security [4] and so on. For example, consider a case where a law enforcement
agency has a list of suspects and wants to compare it against flight passenger
lists. Here the names of the suspects should be kept hidden from the airlines

c IFIP International Federation for Information Processing 2015
H. Federrath and D. Gollmann (Eds.): SEC 2015, IFIP AICT 455, pp. 3–17, 2015.
DOI: 10.1007/978-3-319-18467-8 1
4 A. Abadi et al.

while the agency should not be able to find out about other passengers in order
to protect their privacy. As another example, consider the situation where a
social welfare organization wants to know whether any of its members receives
income from another organization, but neither organization can reveal their list
of members.
Although a number of protocols have been proposed for PSI (see section 2
for a survey), cloud computing introduces additional challenges as the private
datasets are outsourced and the private set intersection is delegated to cloud
servers. In addition to keeping their sets confidential, clients are also interested
in preventing cloud servers from finding out anything about their sets and the
intersection. In other words, clients are interested in delegated private set inter-
section on outsourced data. To allow for more flexibility it is desirable that clients
should be able to engage in PSI computation with any other client of the cloud
provider. However, they should remain in charge of deciding which clients are
allowed to use their sets. To fully take advantage of the cloud capabilities and
minimize costs, clients should not have to keep locally or download their datasets
every time an intersection needs to be computed, while their involvement to the
computation should be limited.
We propose O-PSI, a PSI protocol that addresses these requirements. Our
protocol uses homomorphic encryption and a novel point-value polynomial rep-
resentation for datasets that allows clients to independently secure their sets
and outsource them to the cloud, while cloud servers are able to calculate their
intersection. The protocol ensures that intersections can only be computed with
the permission of the clients and that the result will remain secret from the
server. The protocol also allows outsourced sets to be used an unlimited number
of times securely without the need to secure them again. More interestingly, the
novel set representation means that computation and communication costs are
linear to the size of the sets.
The paper starts with a survey of related work in section 2, followed by a
brief overview of our security model and key concepts we rely on in section 3.
Section 4 presents the design of our protocol, while section 5 proves its security.
Section 6 proposes extensions to support data integrity verification and multiple
clients, while section 7 presents an analysis of its computation and communica-
tion complexity, and a comparison to work that is closest to our aims. Section 8
concludes the paper and identifies directions for future work.

2 Related Work

Private set intersection (PSI) was introduced in [5]. Following that [6] proposed
a number of protocols supporting further set operations and multiple clients
based on additive homomorphic encryption and polynomial representation of
sets. More recently, several efficient protocols have been proposed. For exam-
ple, [4,7] use blind signatures and hash functions to provide efficient PSI in the
semi-honest and the malicious security models respectively, [8] uses Bloom fil-
ters, secret sharing and oblivious transfer to offer even more efficient protocols,
 O-PSI: Delegated Private Set Intersection on Outsourced Datasets 5

and [9] extends [8] and uses hash tables and a more efficient oblivious transfer
extension protocol for better efficiency. However, all these regular PSI protocols
are interactive, in the sense that clients jointly compute the intersection. They
are not designed with the capability to outsource any data or delegate any of
the computation to a third party.
In another line of research, in [10,11] the protocols proposed for outsourced
verifiable dynamic set operations, including set intersection. These protocols
make use of bilinear map accumulators and authenticated hash tables (i.e. accu-
mulator trees) to verify the correctness of operations carried out by a server on
outsourced sets. However, these protocols are designed for a single client to out-
source a collection of sets to a server and later to compute the intersections of its
own sets. The protocols are designed to provide verifiability of computation, not
data privacy. Data are outsourced in plaintext and the protocols do not work if
data are encrypted.
More interestingly, a number of PSI protocols have been proposed in which
clients delegate computation to a server [12–16]. A protocol proposed in [14] allows
clients to outsource their sets to a server by hashing each element and adding a ran-
dom value. They then delegate the computation of the intersection to the server.
However, this protocol is not fully private, as it reveals to the server the cardi-
nality of the intersection. In addition to the above issue, because of the way the
sets are encoded if the intersection between the sets of client A and B is com-
puted, followed by that between the sets of client A and C, then the server will
also find out whether some elements are common in the sets of client B and C
without their consent. In [16] clients also delegate the computation to a server.
Clients encrypt their sets and outsource them. The server also provides a proof
that allows the clients to verify the correctness of the result. However, the proto-
col is not fully private and suffers from the same issues described above. Another
protocol that delegates computation to a server is proposed in [12]. The protocol
is based on a pseudorandom permutation (PRP) of the set elements with the key
for the PRP generated jointly by the clients at setup. One variant of the protocol
can hide the cardinality of the intersection. However, in this variant computation
is delegated to one of the clients rather than the server. The server’s role is limited
to re-encoding one client’s set to maintain the privacy of the computation. In the
protocol, clients can detect if the server provided incorrect results at the cost of
replicating a number of times all elements of the sets.
In a similar line of research, a protocol proposed in [13] allows one client, say
client A, to encrypt and outsource its set, and delegate computation to a server.
The server can then engage in a PSI protocol on this client’s behalf with another
client, say client B. However, this delegation is one-off: if A wants to compute set
intersection with C, then A must encrypt its set with a new key and re-delegate
to the server. In addition to this protocol, in [15] two clients can delegate the PSI
computation to a server. In this protocol rather than encrypting and outsourcing
their sets, the clients encrypt and outsource bloom filters of their sets that are then
used by the server to privately compute their intersection. However, in this case in
order for the clients to get the result of the intersection they need to keep a local
copy of their sets. So, this protocol does not really allow outsourcing the sets.
6 A. Abadi et al.

From the above discussion, it should be clear that none of the protocols above
allows clients to fully delegate PSI computation to the server without the need
to either maintain the sets locally or having to re-encode and re-upload the sets
for each intersection computation, namely none support delegated private set
intersection on outsourced sets. As a result, none of them are particularly suited
for a cloud computing setting.

3 Preliminaries
3.1 Security Model

We consider a setting in which static semi-honest adversaries are present. In

this setting, the adversary controls one of the parties and follows the protocol
specification exactly. However, it may try to learn more information about the
other party’s input. The definitions and model are according to [17].
In a delegated PSI protocol, three parties are involved: a server P , and two
clients A and B. We assume the server does not collude with A or B. As the
server (or cloud provider) is often a well established IT company, it is reasonable
to assume it will not collude with the clients because collusion will seriously
damage its reputation and decrease its revenue. This non-colluding assumption
is widely used in the literature [12,18,19]. The three-party protocol π computes a
function that maps the inputs to some outputs. We define this function as follows:
F : Λ × 2U × 2U → Λ × Λ × f∩ , where Λ denotes the empty string, 2U denotes
the powerset of the set universe and f∩ denotes the set intersection function.
For every tuple of inputs Λ, SA and SB belong to P, A and B respectively, the
function outputs nothing to P and A, and outputs f∩ (SA , SB ) = SA ∩ SB to B.
In the semi-honest model, a protocol π is secure if whatever can be computed
by a party in the protocol can be obtained from its input and output only.
This is formalized by the simulation paradigm. We require a party’s view in a
protocol execution to be simulatable given only its input and output. The view
of the party i during an execution of π on input tuple (x, y, z) is denoted by
viewπi (x, y, z) and equals (w, ri , mi1 , ..., mit ) where w ∈ (x, y, z) is the input of i,
ri is the outcome of i’s internal random coin tosses and mij represents the jth
message that it received.

Definition 1. Let F be a deterministic function as defined above. We say that

the protocol π securely computes F in the presence of static semi-honest adver-
saries if there exist probabilistic polynomial-time algorithms SimP , SimA and
SimB that given the input and output of a party, can simulate a view that is
computationally indistinguishable from the party’s view in the protocol:
c
SimP (Λ, Λ) ≡ viewπP (Λ, SA , SB )
c
SimA (SA , Λ) ≡ viewπA (Λ, SA , SB )
c
SimB (SB , f∩ (SA , SB )) ≡ viewπB (Λ, SA , SB )
 O-PSI: Delegated Private Set Intersection on Outsourced Datasets 7

3.2 Homomorphic Encryption

A semantically secure additively homomorphic public key encryption scheme has
the following properties:
1. Given two ciphertexts Epk (a), Epk (b), Epk (a) · Epk (b) = Epk (a + b).
2. Given a ciphertext Epk (a) and a constant b, Epk (a)b = Epk (a · b).
One such scheme is the Paillier public key cryptosystem [20]. It works as follows:

Key Generation: Choose two random large primes p and q according to a given
security parameter, and set N = pq. Let u be the Carmichael value of N , i.e.
u = lcm(p − 1, q − 1) where lcm stands for the least common multiple. Choose
a random g ∈ Z∗N 2 , and ensure that s = (L(g u mod N 2 ))−1 mod N exists where
L(x) = (x−1)
N . The public key is pk = (N, g) and the secret key is sk = (u, s).

Encryption: To encrypt a plaintext m ∈ ZN , pick a random value r ∈ Z∗N , and

compute the ciphertext: C = Epk (m) = g m · rN mod N 2 .

Decryption: To decrypt a ciphertext C, Dsk (C) = L(C u mod N 2 ) · s mod

N = m.

3.3 Polynomial Representation of Sets

Many PSI protocols e.g. [5,6], use a polynomial representation of sets. Let R
be a field, then we denote a polynomial ring as R[x]. The polynomial ring R[x]
consists of all polynomials with coefficients from R. Given a set S of size d,
|S| = d, we can map each element in S to an element in a sufficiently large field
R. Then we can represent this set as apolynomial in the polynomial ring R[x].
The polynomial is defined as ρ(x) = si ∈S (x − si ) and has the property that
every element si ∈ S is a root of it.
For two sets SA and SB represented by polynomials ρA and ρB respectively,
then gcd(ρA , ρB ) represents the set intersection SA ∩ SB , where gcd stands for the
greatest common divisor. For polynomials ρA and ρB of degree d and γA and γB
that are degree d polynomials chosen uniformly at random from R[x], it is proved
in [6] that γA · ρA + γB · ρB = μ · gcd(ρA , ρB ) such that μ is a uniformly random
polynomial. This means that if ρA and ρB are polynomials representing sets SA
and SB , then the polynomial γA · ρA + γB · ρB contains only information about
SA ∩ SB and no information about other elements in SA or SB . This forms the
basis of their PSI protocol in which a party obtains γA · ρA + γB · ρB to find the
set intersection but learns nothing more about elements in the other party’s set.

4 O-PSI: Delegated Private Set Intersection on

Outsourced Datasets
4.1 Polynomials in Point-value Form
In section 3.3 we showed that a set can be represented as a polynomial and set
intersection can be computed by polynomial arithmetic. All previous PSI proto-
cols using polynomial representation of sets, represent a polynomial as a vector
8 A. Abadi et al.

d
of polynomial’s coefficients. They represent a degree d polynomial ρ = i=0 ai xi
as a vector a = (a0 , a1 , ..., ad ). This representation, while it allows the protocols
to correctly compute the result, has a major disadvantage. The complexity of
multiplying two polynomials of degree d in co-efficient representation is O(d2 ). In
PSI protocols, this leads to significant computational overheads. Usually in such
protocols, one polynomial needs to be encrypted and the polynomial multiplica-
tion has to be done homomorphically. Homomorphic multiplication operations
are computationally expensive. Thus using a co-efficient representation means
that the protocols are not scalable.
In O-PSI, we solve this problem by representing the polynomials in another
well-known form, point-value. A degree d polynomial ρ can be represented as a
set of n (n > d) point-value pairs {(x0 , y0 ), ..., (xn−1 , yn−1 )} such that all xi are
distinct and yi = ρ(xi ) for 0 ≤ i ≤ n − 1. If the x values are fixed, we can omit
them and represent polynomials as vectors y = (y0 , y1 , ..., yn−1 ). A polynomial
in point-value form can be translated into co-efficient form by polynomial inter-
polation [21]. Polynomial arithmetic in point-value representation can be done by
point-wise addition or multiplication. For two degree d polynomials ρA and ρB
represented in point-value form by two vectors y(A) and y(B) , ρA + ρB can be com-
1 + y 1 , y 2 + y 2 , ..., yn−1 + yn−1 ), and ρA · ρB can be computed as
(A) (B)
puted as (y (A) (B) (A) (B)

(y 1 · y 1 , y 2 · y 2 , ..., yn−1 · yn−1 ). Note because the product of ρA · ρB is a poly-

(A) (B) (A) (B) (A) (B)

nomial of degree 2d, ρA and ρB must be represented by at least 2d + 1 points to

accommodate the result. The key benefit of point-value representation is that mul-
tiplication complexity is reduced to O(d). This makes O-PSI much more scalable.

4.2 O-PSI Protocol

The interaction between parties in O-PSI is depicted in Fig. 1. At a high level,

the protocol works as follows. Each client first outsources its set to the server.
To do so, the client uploads a vector that encodes its set to the server. The
vector is blinded so that the server cannot figure out the client’s set, and the
other client cannot figure out any element outside the intersection. If a client,
Server (Cloud)

v ( A)
=[
(B
) ] y ( A)
· rn −1 e ( A) 0 · r ( A)
(B
)
−1 ., =[ 0 ,
yn Ep ..
,. .., (B ) )
,.. kB . , y (A
B)
)
( r (B ) (1)
y 0 (B) 1))]
(
(B
) ·r 0
(1) (B ·
) 0 · (r (A (3
n− )
1 · r ( A)
[y · y n−
+ w (Bn−1
0 0
0 ) −1) n−
) )
B) = )
1]
(4A) ) · y
(A
+w ), .
(
v (
0 )
(A . .,E
1
· (w
0
) ) · y n− pk
(B
1 (A ( r (B )
( r 0 ) · ( w n−
B
n−
[E pk (r(Bn−1
B 1 · ( r (A
t= n− ) −
1) 1
E pk B e(B) = [EpkB (r (B)
), . . . , EpkB (rn−1 )](B) )]
0
(2)
Client A
Client B

Fig. 1. Interaction between parties in O-PSI

 O-PSI: Delegated Private Set Intersection on Outsourced Datasets 9

client B, wants to compute the intersection of its own set and another client’s
set, say client A’s set, it must obtain permission from A. If A agrees, A can
compute jointly with B some encrypted values. The encrypted values will be
used by the server to remove part of the blinding factors from A’s data, and
this then allows the set intersection to be computed. At the end of the protocol
client B receives an encrypted vector which it can decrypt and use the decrypted
values to interpolate a polynomial that encodes the intersection. The protocol is
described below. We will explain the rationale behind the protocol design after
the protocol description.
1. Setup Let U be the universe of set elements. There is a public finite field
R that is big enough to encode all elements in U and also when an element
is picked uniformly at random from R has only negligible probability of
representing an element of a set. Client A has a set SA ⊂ U and client B has
a set SB ⊂ U. Without loss of generality, we let |SA | = |SB | = d. The server
publishes a vector x containing n = 2d + 1 random distinct values from R.
The server also publishes a pseudorandom function f : {0, 1}l × Z → R,
which maps an l-bit string to an element in R pseudorandomly.
2. Outsource This step is the same at both clients. Let I ∈ {A, B}, then the
client I does the following:
(a) Generates a Paillier key pair (pkI , skI ) (see section 3.2) and publishes
the public key. It also chooses a random private key kI for the pseudo-
random function f . All keys are generated according to a given security
parameter. 
(b) Constructs a polynomial τI = s(I) ∈SI (x − s(I) i ) that represents its set
i
SI . Evaluates τI at every value in the x published by the server producing
i = τI (xi ) for 0 ≤ i ≤ n − 1.
y(I) such that y (I)
(c) Sends v(I) to the server, where ∀v (I) i ∈ v , v i = y i · r i , y i is the ith
(I) (I) (I) (I) (I)

(I)
element in y(I) , r i = f (kI , i). Here, v(I) is a blinded version of its set
polynomial.
3. Set Intersection In this step, client B wants to know the intersection of
its set and client A’s set.
(a) Client B sends a request to client A. Along with the request, client B
also sends its ID and a vector e(B) , such that e(B) (B)
i = EpkB (r i ) where
r i = f (kB , i) for 0 ≤ i ≤ n − 1 are the values used to blind its set
(B)

polynomial.
(b) Client A can send a Deny message to end the protocol here, or if it
agrees to engage in the computation of the set intersection, it sends a
Permit message to client B. It also sends a Compute message that
contains its own and B’s IDs, and a vector e(A) to the server. The vector
(A) −1
e(A) is computed as follows: for 0 ≤ i ≤ n − 1, e(A) (B) (r
i = (e i )
i ) =
(A) −1
EpkB (r i · (r i ) ) where r i = f (kI , i) for I ∈ {A, B} are the values
(B) (I)

from step 2c above.

(c) After receiving the Compute message from A, the server extracts e(A)
and retrieves the data v(A) and v(B) from its storage. The server then
chooses two degree d polynomials ωI randomly from R[x] and computes
10 A. Abadi et al.

two vectors w(I) (I ∈ {A, B}) such that w(I)i = ωI (xi ) for 0 ≤ i ≤ n − 1
where xi is the ith element in the public vector x.
(d) The server computes a result vector t such that for 0 ≤ i ≤ n − 1:
(A) (A)
i ·w i · EpkB (w(B)
ti = (e(A) i ·v i )
v (B)
i )
(A) −1
i · (r i )
= EpkB (r(B) · y (A)
i · r i · w i ) · EpkB (w i · y i · r i )
(A) (A) (B) (B) (B)

i · (w i · y i + w i · y i ))
= EpkB (r(B) (A) (A) (B) (B)

The server sends t to client B.

(e) After receiving t, client B computes a vector z such that for 0 ≤ i ≤
n − 1:
−1
zi = DskB (ti ) · (r(B)
i )
(B) −1
i · (w i · y i + w i · y i ) · (r i )
= r(B) (A) (A) (B) (B)

=w i ·y i +w i ·y i
(A) (A) (B) (B)

It then interpolates the polynomial ζ using point-value pairs (xi , zi ). The

roots of ζ are the elements in the set intersection.

Remark 1: In the Setup step, the server needs to publish a vector x that has
2d + 1 elements, because the polynomial ζ in step 3e is of degree 2d and at
least 2d + 1 points are needed to interpolate it. The elements in x are picked at
random from R so that the probability of xi being a root of a client’s polynomial
is negligible.
Remark 2: In step 2c, the client blinds its vector. If the client stores y directly
on the server without blinding, then the server can use y and x to interpolate
the client’s polynomial, thus revealing the client’s set. With blinding this is
not possible unless the server knows the pseudorandom function key used by
the client. The protocol blinds values by multiplication. However, multiplication
cannot blind a value if the value is 0. This is why we require the probability of
xi in x being a root of a client’s polynomial to be negligible. If xi is a root then
yi is 0 and cannot be blinded.
Remark 3: The data values stored on the server are blinded by their owner. To
compute the set intersection those blinding factors (r(I) i in the protocol) must
be eliminated. In step 3b, client A and B jointly compute the vector e(A) to
“switch” A’s blinding factors to B’s blinding factors. In step 3d, e(A) is used to
eliminate r(A) (B)
i and replace it with r i . This factor switching makes it possible
(B)
later to eliminate r i in step 3e. The values in e(A) are encrypted with B’s public
key, so the server learns nothing in this process.
Remark 4: The client’s original blinded dataset remains unchanged in the
server. In fact in step 3c, the server multiplies a copy of the client’s blinded
dataset by the vector w(I) .
 O-PSI: Delegated Private Set Intersection on Outsourced Datasets 11

5 Proof of Security
Now we sketch the security proof of O-PSI in the semi-honest model (see
section 3.1). We conduct the security analysis for the three cases where one
of the parties is corrupted.

Theorem 1. If the homomorphic encryption scheme is semantically secure, the

O-PSI protocol is secure in the presence of a semi-honest adversary.

Proof. We will prove the theorem by considering in turn the case where each of
the parties has been corrupted. In each case we invoke the simulator with the
corresponding party’s input and output. Our focus is in the case where party
A wants to engage in the computation of the intersection. If party A does not
want to proceed in the protocol, the views can be simulated in the same way up
to the point where the execution stops.
Case 1: Corrupted server In this case, we show that we can construct a
simulator SimP that can produce a computationally indistinguishable view. In
the real execution, the server’s view is as follows:

viewπP (Λ, SA , SB ) = {Λ, rP , v(A) , v(B) , Compute, e(A) , Λ}

where rP are the random coins of the server, v(A) , v(B) are the blinded set
representations of A’s and B’s sets, Compute is the command to proceed from
A, and e(A) is the encrypted vector that is used in the protocol to switch blinding
factors.
To simulate the view, SimP does the following: it creates an empty view,
then appends Λ and uniformly at random chosen coins rP to the view. It then
 
randomly generates two d-element sets SA and SB . It also chooses two random
  
keys kA and kB for a pseudorandom function f . It encodes SA into its polynomial
representation, evaluates the polynomial with the public values x, and blinds the
(A)  
evaluation results with ri = f (kA , i) for 0 ≤ i ≤ n − 1. The result is v(A) .
  
Similarly it can generate v(B) . Then v(A) and v(B) are appended to the view.
Following that, the simulator generates the Compute command string with the
(B) (A)
correct format and appends it to the view. It then computes ri · (ri )−1 and

encrypts the results with B’s public key. This produces e(A) that is appended
to the view. Finally, the simulator appends Λ to the view and outputs the view.
We argue that the simulated view is computationally indistinguishable from
the real view. In both views, the input parts are identical, the random coins
are both uniformly random, and so they are indistinguishable. In the real view
v(A) , v(B) are blinded with the outputs of a pseudorandom function, so do the
vectors in the simulated view. Since the outputs of the pseudorandom function
 
are computationally indistinguishable, the distributions of v(A) , v(B) , v(A) , v(B)
are therefore computationally indistinguishable. If the homomorphic encryption

is semantically secure, then e(A) and e(A) are also computationally indistin-
guishable. The output parts in both views are identical. So, we conclude that
the views are indistinguishable.
12 A. Abadi et al.

Case 2: Corrupted client A In the real execution, the A’s view is as follows:

viewπA (Λ, SA , SB ) = {SA , rA , e(B) , Λ}

The simulator SimA does the following: it creates an empty view, then appends

Λ and uniformly at random chosen coins rA to the view. It then chooses n random

values ri and encrypts each ri with B’s public key. The result is e(B) and it is
appended to the view. The simulator then appends Λ to the view. It is easy to see

that If the homomorphic encryption is semantically secure, then e(B) and e(B)
are computationally indistinguishable. So, the two views are indistinguishable.
Case 3: Corrupted client B In the real execution, the B’s view is as follows:

viewπB (Λ, SA , SB ) = {SB , rB , Permit, t, f∩ (SA , SB )}

The simulator SimB does the following: it creates an empty view, and appends

Λ and uniformly at random chosen coins rB to the view. Then it generates
the Permit command string with the correct format and appends it to the
  
view. Following that, it creates two d-element sets SA and SB such that SA ∩
 
SB = f∩ (SA , SB ), converts SA to its polynomial representation, evaluates the

polynomial using the public values x and obtains y(A) . Similarly the simulator

can obtain y(B) . The simulator chooses randomly two degree d polynomials

 
ωA and ωB , evaluates them using the public values x and obtains w(A) and


w(B) . It also chooses a random key kB for a pseudorandom function f and
(B) 
computes ri = f (kB , i) for 0 ≤ i ≤ n − 1. Then the simulator computes for
(B) (A) (A) (B) (B)
each i, EpkB (r i · (w i · y i + w i · y i )). The result is t . The simulator
appends t to the view and then appends f∩ (SA , SB ). It is easy to see that the
distributions of t and t are computationally indistinguishable. So, the two views
are indistinguishable.
Combining the above, we conclude the protocol is secure and complete our
proof.

6 Extensions

In this section we extend O-PSI to support dataset integrity verification and

multiple clients. These extensions require no major modification of the protocol.

6.1 Dataset Integrity Verification

To add data integrity verification to O-PSI we can use the verification mechanism
of any provable data possession protocol that does not reveal any information
about the confidential data to the server. For this purpose, we can adopt the
homomorphic verification tags proposed in [22]. These tags are homomorphic in
the sense that given two tags Ta and Tb for elements a and b one can combine
them Ta ·Tb which is equal to the tag T aga+b of the sum a+b of the two elements.
 O-PSI: Delegated Private Set Intersection on Outsourced Datasets 13

In O-PSI, client I ∈ {A, B} defines a tag for each element v (I)

i of the blinded
(I)
dataset as: Tv(I) = (h(kI ||i) · g ) mod N , where h is a secure determinis-
v i dI
i
tic hash-and-encode function that maps strings uniformly to a unique cyclic
subgroup of Z∗N , QRN , kI is a random value used for all elements in the set,
R ∗
g = a2 , a ← ZN , and N = p q  is a RSA modulus, p = 2p + 1, q  = 2q  + 1 and
dI ·eI = 1 mod p q  , where q  and p are prime numbers. The hash value h(kI ||i)
binds the tag Tv(I) to the value v (I) i and prevents the server from using the tag
i

i = y i · r i is a uniformly ran-
to compute a proof for a different value. Note, v (I) (I) (I)

dom value. Consequently, each tag Tv(I) does not leak any information about the
i
private value y (I)
i to the server. In this protocol client I, along with its blinded
dataset, outsources a vector tag(I) comprising values Tv(I) (0 ≤ i ≤ n − 1) to the
i
server. The challenge, proof generation and verification phases of the protocol
remain unchanged to those described in [22].

6.2 Multiple Clients

O-PSI can be used to compute the intersection of the outsourced datasets of

multiple clients. In this case, the client interested in the intersection, client B,
sends the same request (see step 3a of the protocol) to all other clients, Aj
(1 ≤ j ≤ m). The protocol for each client Aj remains unchanged (see step 3b).
For each client Aj , the server carries out step 3c, and computes the result vector
t such that for 0 ≤ i ≤ n − 1:
 (Aj ) (A )
(Aj ) ·w i j
i ·v i )·
ti = EpkB (w(B) (B)
(e i )v i

1≤j≤m
 (Aj ) (Aj )
= EpkB (r (B)
i · (w (B)
i · y (B)
i + w i ·y i ))
1≤j≤m

Then the server sends t to client B, that carries out the final step, step 3e,
unchanged. Note that in this protocol, even if m − 1 clients collude, none can
infer the set elements of the non-corrupted client, as the random polynomials
(A )
ωI j , picked by the server, are unknown to the clients.

7 Evaluation

We evaluate O-PSI by comparing its properties to those provided by other proto-

cols that delegate PSI computation to a server. We also compare these protocols
in terms of communication and computation complexity. Table 1 summarises the
results.

Properties. The protocols in [12,13] require clients to interact with each other
at setup. In [12] clients need to generate jointly the key of the pseudorandom per-
mutation used to encode the datasets, while in [13] they need to jointly compute
some parameters that are used in the encryption of their datasets. In contrast to
14 A. Abadi et al.

Table 1. Comparison of different delegated PSI protocols. Set cardinality and inter-
section cardinality are denoted by d and k respectively.

Property O-PSI [12] [13] [14] [15] [16]

Non-interactive setup  × ×   
Hiding the intersection size from the server    ×  ×
Many set intersections without re-preparation  × × × × ×
Multiple clients     × 
Computation integrity verification ×  × × × 
2 2
Communication complexity O(d) O(d) O(d ) O(d) O(d ) O(k)
Computation complexity O(d) O(d) O(d2 ) O(d2 ) O(d2 ) O(d)

these protocols, in [14–16] and O-PSI the clients can independently prepare and
outsource their private datasets. This is desirable in a cloud computing context
as organizations and individuals can take advantage of the storage capabilities
of the cloud and outsource their data at different points in time and without
prior consideration of who is going to use them.
In a delegated PSI protocol, privacy should be maintained and the server should
not learn anything about the intersection during the computation, including its
cardinality. This is the case for the size-hiding variation of [12], protocols in [13,15],
and O-PSI. However, as discussed in section 2 this is not the case for [14,16].
More interestingly, O-PSI is the only protocol in which clients can reuse
their outsourced datasets on the server in multiple delegated PSI computations
without the need to prepare their datasets for each computation, and computing
PSI on the outsourced dataset multiple times does not reveal any information
to the server. This is an important advantage in scenarios where outsourced
datasets are expected to be used a lot of times, as it significantly reduces the
overall communication and storage cost for the clients. This is not the case
for any of the other protocols, because the clients either do not outsource their
datasets, or need to re-encode them locally for each operation in order to prevent
the server from inferring information about the intersection over time.
As we showed in section 6.2, O-PSI can be easily extended to support multiple
clients. This is also the case for [12–14,16]. However, this is not possible for [15],
as this requires an additional logical operation that is not supported by the
homomorphic encryption scheme used.
O-PSI has been designed for the semi-honest security model and as a result
does not consider the case where the server maliciously deviates from the proto-
col and computes the wrong result. This is a reasonable assumption in a cloud
computing context where cloud providers are keen to preserve their reputation
and this assumption is widely considered in the literature [13–15,23,24]. How-
ever [16] allows the client to verify the correctness of the results, while as we
have seen in section 2, [12] can detect server misbehavior at an additional cost.
In conclusion, in contrast to other protocols, O-PSI has a unique combination
of properties that make it particularly appealing for a cloud computing setting.
Another random document with
no related content on Scribd:
apotheosis of womanhood, sketched by Guido Guinizelli, is
developed with mystical fullness, and there is even perhaps a hint of
some future work in honour of Beatrice that will deal with the world
beyond the grave. The two sonnets that follow are a kind of
supplement; the first:

Amore e ’l cor gentil sono una cosa,

“Love and the gentle heart are one same thing,” gives a definition of
love, elaborating the Guinizellian doctrine; the second:

Ne li occhi porta la mia donna Amore,

“Within her eyes my lady carries Love,” pursues the conception

further, to represent Beatrice herself as the creatrix of the divine gift
of gentilezza by which the heart is capable of noble love. Two
sonnets on the death of Beatrice’s father lead up to a veritable lyrical
masterpiece, the canzone:

Donna pietosa e di novella etate,

“A lady pitiful and of tender age,” the anticipatory vision of Beatrice’s

death—the “Dante’s Dream” of Rossetti’s famous picture. The
following sonnet, in which Beatrice and Cavalcanti’s lady, Primavera
or Giovanna, appear together, is the only place in the Vita Nuova
where Dante calls her whom he loved by the name by which she
was actually known—“Bice.” Love now no longer appears weeping,
but speaks joyfully in the poet’s heart. All that was personal in
Dante’s worship seems to have passed away with his earlier
lamentations; his love has become a transcendental rapture, an
ecstasy of self-annihilation. This part of the book culminates in the
two sonnets:
 Tanto gentile e tanto onesta pare,

“So noble and so pure seems my lady,” in which a similar sonnet of

Guinizelli’s is easily surpassed, and

Vede perfettamente onne salute,

“He seeth perfectly all bliss, who beholds my lady among the ladies”;
sonnets which are flawless gems of mediaeval poetry. Then abruptly,
in the composition of a canzone which should have shown how Love
by means of Beatrice regenerated his soul, the pen falls from his
hand: Beatrice has been called by God to Himself, to be glorious
under the banner of Mary, “How doth the city sit solitary that was full
of people!”
Some falling off may be detected here and there in the third part of
the Vita Nuova (xxix. to xli.), which includes the prose and poetry
connected with Beatrice’s death, the love for the lady who takes pity
upon the poet’s grief, his repentance and return to Beatrice’s
memory. A stately canzone:

Li occhi dolenti per pietà del core,

“The eyes that grieve for pity of the heart,” is a companion piece to
the opening canzone of the second part; the poet now speaks of
Beatrice’s death in the same form and to the same love-illumined
ladies to whom he had formerly sung her praises. More beautiful are
the closing lines of the shorter canzone, written for Dante’s second
friend, who was apparently Beatrice’s brother. After the charming
episode of the poet drawing an Angel on her anniversary, the “gentle
lady, young and very fair,” inspires him with four sonnets; and his
incipient love for her is dispelled by a “strong imagination,” a vision of
Beatrice as he had first seen her in her crimson raiment of childhood.
The bitterness of Dante’s repentance is a foretaste of the confession
upon Lethe’s bank in the Purgatorio. The pilgrims pass through the
city on their way to Rome, “in that season when many folk go to see
that blessed likeness which Jesus Christ left us as exemplar of His
most beauteous face, which my lady sees in glory” (V. N. xli.); and
this third part closes with the sonnet in which Dante calls upon the
pilgrims to tarry a little, till they have heard how the city lies desolate
for the loss of Beatrice.
In the epilogue (xlii., xliii.), in answer to the request of two of those
noble ladies who throng the ways of Dante’s mystical city of youth
and love as God’s Angels guard the terraces of the Mount of
Purgation, Dante writes the last sonnet of the book; wherein a “new
intelligence,” born of Love, guides the pilgrim spirit beyond the
spheres into the Empyrean to behold the blessedness of Beatrice. It
is an anticipation of the spiritual ascent of the Divina Commedia,
which is confirmed in the famous passage which closes the “new life”
of Love:
“After this sonnet there appeared unto me a wonderful vision:
wherein I saw things which made me purpose to say no more of this
blessed one, until such time as I could discourse more worthily
concerning her. And to attain to that I labour all I can, even as she
knoweth verily. Wherefore if it shall be His pleasure, through whom is
the life of all things, that my life continue for some years, I hope that I
shall yet utter concerning her what hath never been said of any
woman. And then may it seem good unto Him, who is the Lord of
courtesy, that my soul may go hence to behold the glory of its lady:
to wit, of that blessed Beatrice who gazeth gloriously upon the
countenance of Him who is blessed throughout all ages.”[10]
From the mention of the pilgrimage, and this wonderful vision, it
has been sometimes supposed that the closing chapters of the Vita
Nuova were written in 1300. It seems, however, almost certain that
there is no reference whatever to the year of Jubilee in the first case.
When Dante’s positive statement in the Convivio, that he wrote the
Vita Nuova at the entrance of manhood (gioventute being the twenty
years from twenty-five to forty-five, Conv. iv. 24), is compared with
the internal evidence of the book itself, the most probable date for its
completion would be between 1291 and 1293. It should, however, be
borne in mind that, while there is documentary evidence that some of
the single poems were in circulation before 1300, none of the extant
manuscripts of the whole work can be assigned to a date much
earlier than the middle of the fourteenth century. It is, therefore, not
inconceivable that the reference to the vision may be associated with
the spiritual experience of 1300 and slightly later than the rest of the
book.[11]
The form of the Vita Nuova, the setting of the lyrics in a prose
narrative and commentary, is one that Dante may well have invented
for himself. If he had models before his eyes, they were probably, on
the one hand, the razos or prose explanations which accompanied
the poems of the troubadours, and, on the other, the commentaries
of St. Thomas Aquinas on the works of Aristotle, which Dante
imitates in his divisions and analyses of the various poems. His
quotations show that he had already studied astronomy, and made
some rudimentary acquaintance with Aristotle and with the four chief
Latin poets; the section in which he speaks of the latter, touching
upon the relations between classical and vernacular poetry (xxv.),
suggests the germ of the De Vulgari Eloquentia. The close of the
book implies that he regarded lack of scientific and literary
equipment as keeping him from the immediate fulfilment of the
greater work that he had even then conceived for the glory of
Beatrice.
In the Convivio, where all else is allegorical, Beatrice is still simply
his first love, lo primo amore (ii. 16). Even when allegorically
interpreting the canzone which describes how another lady took her
place in his heart, after her death, as referring to Philosophy, there is
no hint of any allegory about quella viva Beatrice beata, “that
blessed Beatrice, who lives in heaven with the Angels and on earth
with my soul” (Conv. ii. 2). When about to plunge more deeply into
allegorical explanations, he ends what he has to say concerning her
by a digression upon the immortality of the soul (Conv. ii. 9): “I so
believe, so affirm, and so am certain that I shall pass after this to
another better life, there where that glorious lady lives, of whom my
soul was enamoured.”
 Those critics who question the reality of the story of the Vita
Nuova, or find it difficult to accept without an allegorical or idealistic
interpretation, are best answered in Dante’s own words: Questo
dubbio è impossibile a solvere a chi non fosse in simile grado fedele
d’Amore; e a coloro che vi sono è manifesto ciò che solverebbe le
dubitose parole; “This difficulty is impossible to solve for anyone who
is not in similar grade faithful unto Love; and to those who are so,
that is manifest which would solve the dubious words” (V. N. xiv.).

2. The “Rime”
The Rime—for which the more modern title, Canzoniere, has
sometimes been substituted—comprise all Dante’s lyrical poems,
together with others that are more doubtfully attributed to him. In the
Vita Nuova were inserted three canzoni, two shorter poems in the
canzone mould, one ballata, twenty-five sonnets (including two
double sonnets). The “testo critico” of the Rime, edited by Michele
Barbi for the sexcentenary Dante, in addition to these accepts as
authentic sixteen canzoni (the sestina is merely a special form of
canzone), five ballate, thirty-four sonnets, and two stanzas. Dante
himself regards the canzone as the noblest form of poetry (V. E. ii.
3), and he expounded three of his canzoni in the Convivio. From the
middle of the fourteenth century onwards, a large number of MSS.
give these three and twelve others (fifteen in all) as a connected
whole in a certain definite order, frequently with a special rubric in
Latin or Italian prefixed to each; this order and these rubrics are due
to Boccaccio.[12] It has been more difficult to distinguish between the
certainly genuine and the doubtful pieces among the ballate and
sonnets, and the authenticity of some of those now included by Barbi
in the canon is still more or less open to question. The Rime, on the
whole, are the most unequal of Dante’s works; a few of the sonnets,
particularly some of the earlier ones and those in answer to other
poets, have but slight poetic merit, while several of the later canzoni
rank among the world’s noblest lyrics. In the sexcentenary edition
the arrangement of the lyrics is tentatively chronological, with
subsidiary groupings according to subject-matter. While following the
same general scheme, I slightly modify the arrangement, as certain
poems regarded by Barbi as “rime d’amore” appear to me to be
more probably allegorical.
(a) A first group belongs to the epoch of the Vita Nuova.
Conspicuous among them are two canzoni. One:

La dispietata mente che pur mira,

“Pitiless memory that still gazes back at the time gone by,” is
addressed directly to a woman (in this respect differing from Dante’s
other canzoni), who is probably the second lady represented as the
poet’s screen. The other:

E ’m’ incresce di me si duramente,

“I grieve for myself so bitterly,” seems to give fuller expression to the

first part of the Vita Nuova with an alien note—the image of the little
maiden has yielded to that of the woman whose great beauty is the
object of unattainable desire. At times a lighter note is struck; Dante
is apparently simply supplying words for composers to set to music,
or revealing a spirit of playfulness of which there is no trace in the
Vita Nuova.[13] Besides sonnets in honour of Beatrice, we have a
few relating to other women, and in two ballate even their names are
given: Fioretta and Violetta. One delightful sonnet:

Sonar bracchetti e cacciatori aizzare,

“Beagles questing and huntsmen urging on,” reveals the poet taking
part in sport and appreciating a jape at his own expense. A number
of correspondence sonnets belong to this epoch, a small series
addressed to Dante da Maiano (of which no MS. has been
preserved) being probably earlier than the first sonnet of the Vita
Nuova. A note of pure romance is struck in the charming sonnet to
Guido Cavalcanti, in which the younger poet wishes that they two,
with Lapo Gianni and their three ladies (Dante’s being the first lady
who screened his love), might take a voyage over enchanted seas in
Merlin’s magic barque. Several admirable sonnets, now included in
this group, were formerly attributed to Cino da Pistoia.[14]
(b) The tenzone with Forese Donati forms a little group apart. Its
date is uncertain, but may be plausibly taken as between 1290 and
1296. These sonnets, though not free from bitterness which is
perhaps serious, may be regarded as exercises in that style of
burlesque and satirical poetry to which even Guido Guinizelli had
once paid tribute, and which Rustico di Filippo had made
characteristically Florentine.
(c) Next comes a group of poems, connected with the allegory of
the Convivio, in which an intellectual ideal is pursued with the
passion and wooed in the language of the lover who adores an
earthly mistress. “I say and affirm that the lady, of whom I was
enamoured after my first love, was the most beautiful and most pure
daughter of the Emperor of the Universe, to whom Pythagoras gave
the name Philosophy” (Conv. ii. 16). By some, not entirely
reconcilable, process the donna gentile, who appears at the end of
the Vita Nuova, has become a symbol of Philosophy, and the poet’s
love for her a most noble devotion. The canzone:

Voi che ’ntendendo il terzo ciel movete,

“Ye who by understanding move the third heaven” describing the

conflict in Dante’s mind between this new love and the memory of
Beatrice, deals again with the matter of one of the sonnets of the
Vita Nuova; but the allegory is perhaps an after-thought. It is
commented upon in the second treatise of the Convivio and quoted
in Canto viii. of the Paradiso. The other poems of this group seem
purely allegorical: “By love, in this allegory, is always intended that
study which is the application of the enamoured mind to that thing of
which it is enamoured” (Conv. ii. 16). At first this service is painful
and laborious; and the mystical lady seems a cruel and proud
mistress, as she is represented in the “pitiful ballata”:

Voi che savete ragionar d’Amore,

“Ye who know how to discourse of love,” which is referred to in the

third treatise of the Convivio (iii. 9). But the defect is on the lover’s
own part, and in her light the difficulties which sundered him and her
are dispersed like morning clouds before the face of the sun. This
mystical worship culminates in the supreme hymn to his spiritual
mistress, whose body is Wisdom and whose soul is Love:

Amor che ne la mente mi ragiona,

“Love that in my mind discourses to me of my lady desirously,” which

is the second canzone of the Convivio (quoted in V. E. ii. 6), the
amorous song that Casella was to sing “met in the milder shades of
Purgatory.” It is one of Dante’s lyrical masterpieces. Hardly less
beautiful is the canzone, likewise cited in the De Vulgari Eloquentia
(V. E. ii. 5, II):

Amor, che movi tua vertù dal cielo,

“Love that movest thy power from heaven”; with a mystical

comparison of the workings of love to those of the sun and striking
lines on the supernatural power of the illumined imagination. This
allegorical group may be regarded as closed by the canzone:

Io sento si d’Amor la gran possanza,

“I feel so the great power of love,” in which Dante represents himself
as too young to obtain his lady’s grace, but is content to serve on,
finding the quest of philosophic truth its own reward. This poem has
two commiati (the commiato, or tornata, being the stanza or part of a
stanza, or a few independent lines, added as an address or farewell
at the end of a canzone); both seem to imply that philosophic verse
may be the instrument of political or social reform.[15]
(d) Dante originally held that Italian poetry should only be used for
writing upon love, and therefore, in his younger days, a philosophical
poem would naturally take the form of a love ode. In the Vita Nuova,
he argues “against those who rhyme upon any matter other than
amorous; seeing that such mode of speech was originally found for
speaking of love” (V. N. xxv). His views naturally widened before he
wrote his later canzoni (cf. V. E. ii. 2); but when, lacking inspiration
for a higher lyrical flight or baffled by some metaphysical problem, he
turns to set erring men right in didactic canzoni on some humbler
ethical subject, he represents himself as so doing because out of
favour with his lady or deserted by love. Thus, “The sweet rhymes of
love, which I was wont to seek in my thoughts, needs must I leave”—

Le dolci rime d’amor, ch’i’ solia

—opens the canzone on the spiritual nature of true gentilezza

(inspired in part by Guinizelli), which is expounded in the fourth
treatise of the Convivio, and, although somewhat unequal, contains
one ineffable stanza upon the noble soul in life’s four stages. A
companion poem:

Poscia ch’Amor del tutto m’ ha lasciato,

“Since love has left me utterly,” deals with leggiadria, the outward
expression of a chivalrous soul, and shows the influence of the
Tesoretto of Brunetto Latini. These two canzoni, which contain
transcripts from the Aristotelian Ethics, only here and there become
poetry. In the larger proportion of short lines in the stanza, Dante
seems feeling his way to a more popular metrical form and a freer
treatment, as well as a wider range of subject. The second has
satirical sketches of vicious or offensive types of men, with whom he
will deal more severely in the Commedia.
(e) There are certain lyrics of Dante’s which can hardly admit of an
allegorical interpretation, but are almost certainly the expression of
passionate love for real women. Most notable among these are a
group of four canzoni, known as the rime per la donna pietra, which
are characterised by a peculiar incessant playing upon the word
pietra, or “stone,” which has led to the hypothesis that they were
inspired by a lady named Pietra, or at least by one who had been as
cold and rigid as Beatrice had been the giver of blessing. The
canzone of the aspro parlare:

Così nel mio parlar voglio esser aspro,

“So in my speech would I be harsh, as this fair stone is in her acts,”

shows that Dante could be as terrible in his love as in his hate, and
has a suggestion of sensuality which we hardly find elsewhere in his
poetry. It is indirectly referred to in the Convivio, and quoted by
Petrarch. The other three canzoni of this “stony” group show very
strongly the influence of the Provençal Arnaut Daniel in their form,
and all their imagery is drawn from nature in winter. The sestina:

Al poco giorno e al gran cerchio d’ombra,

“To the short day and the large circle of shade have I come,” is the
first Italian example of that peculiar variety of the canzone which was
invented by Arnaut (V. E., ii. 10, 13). It gives a most wonderful
picture of this strange green-robed girl, her golden hair crowned with
grass like Botticelli’s Libyan Sibyl, in the meadow “girdled about with
very lofty hills.” Less beautiful and more artificial, the canzone:
 Amor, tu vedi ben che questa donna,

“Love, thou seest well that this lady cares not for thy power,” is
likewise quoted with complacency, for its novelty and metrical
peculiarity, in the De Vulgari Eloquentia (ii. 13). And the passion of
the whole group is summed up in the poem on Love and Winter:

Io son venuto al punto de la rota,

“I am come to the point of the wheel,” where, stanza by stanza, the

external phenomena of the world in winter are contrasted with the
state of the poet’s soul, ever burning in the “sweet martyrdom” of
love’s fire. It is the ultimate perfection of a species of poem
employed by Arnaut and other troubadours; another lyrical
masterpiece, anticipating in its degree the treatment of nature which
we find in the Commedia. These four poems were probably
composed shortly before Dante’s banishment, but another canzone
of somewhat similar tone was certainly written in exile—the famous
and much discussed “mountain song”:

Amor, da che convien pur ch’io mi doglia,

“Love, since I needs must make complaint,” apparently describing an

overwhelming passion for the fair lady of the Casentino; its pathetic
close, with its reference to Florence, has been already quoted. The
striking sonnet to Cino da Pistoia about the same time:

Io sono stato con Amore insieme.

“I have been in company with love since the circling of my ninth sun,”
affords further testimony that, at certain epochs of his life, earthly
love took captive Dante’s freewill.
(f) To the earlier years of Dante’s exile belongs the noblest and
most sublime of his lyrics, the canzone:

Tre donne intorno al cor mi son venute,

“Three ladies are come around my heart and are seated without, for
within sits Love who is in lordship of my life.” They are Justice and
her spiritual children; Love prophesies the ultimate triumph of
righteousness, and the poet, with such high companionship in
outward misfortune, declares that he counts his exile as an honour.
While recalling the legend of the apparition of Lady Poverty and her
two companions to St. Francis of Assisi, and a poem of Giraut de
Borneil on the decay of chivalry, the canzone echoes Isaiah (ch. li.).
Its key may be found in the prophet’s words: “Hearken unto me, ye
that know Justice, the people in whose heart is my law; fear ye not
the reproach of men, neither be ye afraid of their revilings.” It was
probably written between 1303 and 1306; its opening lines have
been found transcribed in a document of 1310.[16] To about the
same epoch must be assigned the powerful canzone against vice in
general and avarice in particular:

Doglia mi reca ne lo core ardire,

“Grief brings daring into my heart,” which is cited in the De Vulgari

Eloquentia (associated with another poem of Giraut de Borneil) as a
typical poem on rectitudo, “righteousness,” “the direction of the will”
(V. E. ii. 2). These two canzoni are the connecting link between the
Rime and the Commedia; the first contains the germ of Dante’s
prophecy of the Veltro, his Messianic hope of the Deliverer to come,
who shall make Love’s darts shine with new lustre and renovate the
world; in the second, we already catch the first notes of the saeva
indignatio of the sacred poem. With the exception of the “montanina
canzone” and some sonnets to Cino da Pistoia, Dante wrote few
other lyrics at this period[17]; indeed, one of the sonnets seems to
imply that he had finally turned away from such poetry (da queste
nostre rime) in contemplation of his greater task:

Io mi credea del tutto esser partito,

“I deemed myself to have utterly departed from these our rhymes,

Messer Cino, for henceforth another path befits my ship and further
from the shore.”

3. The “Convivio”
The Convivio, or “Banquet,” bears a somewhat similar relation to
the work of Dante’s second period as the Vita Nuova did to that of
his adolescence. Just as after the death of Beatrice he collected his
earlier lyrics, furnishing them with prose narrative and commentary,
so now in exile he intended to put together fourteen of his later
canzoni and write a prose commentary upon them, to the honour
and glory of his mystical lady, Philosophy. Dante was certainly not
acquainted with Plato’s Symposium. It was from the De Consolatione
Philosophiae of Boëthius that the idea came to him of representing
Philosophy as a woman; but the “woman of ful greet reverence by
semblaunt,” who “was ful of so greet age, that men ne wolde nat
trowen, in no manere, that she were of oure elde” (so Chaucer
renders Boëthius), is transformed to the likeness of a donna gentile,
the idealised human personality of the poetry of the “dolce stil
nuovo”:
“And I imagined her fashioned as a gentle lady; and I could
not imagine her in any bearing save that of compassion;
wherefore so willingly did the sense of truth look upon her,
that scarcely could I turn it from her. And from this imagining I
began to go there where she revealed herself in very sooth, to
wit, in the schools of religious and at the disputations of
 philosophers; so that in a short time, perchance of thirty
months, I began to feel so much of her sweetness, that her
love drove out and destroyed every other thought” (Conv. ii.
13).
The Convivio is an attempt to bring philosophy out of the schools
of religious and away from the disputations of philosophers, to
render her beauty accessible even, to the unlearned. “The Convivio”,
says Dr. Wicksteed, “might very well be described as an attempt to
throw into popular form the matter of the Aristotelian treatises of
Albertus Magnus and Thomas Aquinas.” Dante’s text is the opening
sentence of Aristotle’s Metaphysics: “All men by nature desire to
know”; which he elaborates from the commentary of Aquinas and the
latter’s Summa contra gentiles. He would gather up the crumbs
which fall from the table where the bread of Angels is eaten, and
give a banquet to all who are deprived of this spiritual food. It is the
first important work on philosophy written in Italian—an innovation
which Dante thinks necessary to defend in the chapters of the
introductory treatise, where he explains his reasons for commenting
upon these canzoni in the vernacular instead of Latin, and
incidentally utters an impassioned defence of his mother-tongue,
with noteworthy passages on the vanity of translating poetry into
another language and the potentialities of Italian prose (Conv. i. 7,
10).
In addition to this principal motive for writing the work, the desire of
giving instruction, Dante himself alleges another—the fear of infamy,
timore d’infamia (Conv. i. 2): “I fear the infamy of having followed
such great passion as whoso reads the above-mentioned canzoni
will conceive to have held sway over me; the which infamy ceases
entirely by the present speaking of myself, which shows that not
passion, but virtue, has been the moving cause.” It would seem that
Dante intended to comment upon certain of the canzoni connected
with real women, and to represent them as allegorical; it may be that,
consumed with a more than Shelleyan passion for reforming the
world, he chose this method of getting rid of certain episodes in the
past which he, with too much self-severity, regarded as rendering
him unworthy of the sublime office he had undertaken. And, by a
work of lofty style and authority, he would rehabilitate the man who,
in his exiled wanderings, had “perchance cheapened himself more
than truth wills” (i. 4).
Only the introductory treatise and three of the commentaries were
actually written: those on the canzoni Voi cite ’ntendendo, Amor che
ne la mente mi ragiona, Le dolci rime d’amor. If the whole work had
been completed on the same scale as these four treatises, a great
part of the field of knowledge open to the fourteenth century would
have been traversed in the ardent service of this mystical lady, whom
the poet in the second treatise—not without considerable
inconsistency—represents as the same as the donna gentile who
appeared towards the end of the Vita Nuova (Conv. ii. 2). As it is, the
movements of the celestial bodies, the ministry of the angelic orders,
the nature of the human soul and the grades of psychic life, the
mystical significance and universality of love, are among the subjects
discussed in the second and third treatises. The fourth treatise is
primarily ethical: nobility as inseparable from love and virtue, wealth,
the Aristotelian definition of moral virtue and human felicity, the goal
of human life, the virtues suitable to each age, are among the
themes considered. Under one aspect the Convivio is a vernacular
encyclopaedia (like the Trésor of Brunetto Latini), but distinguished
from previous mediaeval works of the kind by its peculiar form, its
artistic beauty, and its personal note. From the first treatise it is
evident that the whole work had been fully planned; but it is not
possible to reconstruct it with any plausibility, or to decide upon the
question of which of the extant canzoni were to be included, and in
what order. From iv. 26, it may be conjectured that the passionate
canzone, Così nel mio parlar voglio esser aspro (Rime ciii., O. canz.
xii.), was to be allegorised in the seventh treatise; while, from i. 12, ii.
1, iv. 27, it appears fairly certain that the canzone of the three ladies,
Tre donne intorno al cor (Rime civ., O. canz. xx.), would have been
expounded in the fourteenth, where Justice and Allegory were to
have been discussed; and, from i. 8 and iii. 15, that the canzone
against the vices, Doglia mi reca (Rime cvi., O. canz. x.), was
destined for the poetical basis of the last treatise of all. It is thus clear
that the Convivio would have ended with the two canzoni which form
the connecting link between the lyrical poems and the Divina
Commedia. For the rest, it is certain that there would have been no
mention of Beatrice in any of the unwritten treatises. In touching
upon the immortality of the soul (Conv. ii. 9), Dante had seen fit to
end what he wished to say of “that living blessed Beatrice, of whom I
do not intend to speak more in this book.” There seems also good
reason for supposing that the canzone for the beautiful lady of the
Casentino (Rime cxvi., O. canz. xi.), which may be of a slightly later
date than the others, would not have formed part of the completed
work.
Witte and others after him have supposed that the Convivio
represents an alienation from Beatrice; that the Philosophy, which
Dante defines as the amorous use of wisdom, is a presumptuous
human science leading man astray from truth and felicity along the
dangerous and deceptive paths of free speculation. There is,
however, nothing in the book itself to support this interpretation,[18]
and, indeed, a comparison between the second canzone, Amor che
ne la mente mi ragiona, and the first canzone of the Vita Nuova
points to the conclusion that the personification of philosophy is but a
phase in the apotheosis of Beatrice herself. The Convivio is the first
fruit of Dante’s labours to fulfil the promise made at the end of the
book of his youth; his knowledge of literature and philosophy has
immeasurably widened, his speculations on human life and nature
have matured, and his prose style, in its comparative freedom and
variety, its articulation and passages of spontaneous eloquence,
shows a vast progress from that of the Vita Nuova.
There are passages in the Convivio which appear to be
contradicted in the Divina Commedia. One of the most curious is the
treatment of Guido da Montefeltro, who, in Conv. iv. 28, is “our most
noble Italian,” and a type of the noble soul returning to God in the
last stage of life, whereas, in the Inferno (Canto xxvii.), he is found in
the torturing flames of the evil counsellors. Several opinions are
directly or indirectly withdrawn in the Paradiso; but these are to be
rather regarded as mistakes which, in the light of subsequent
knowledge, Dante desired to rectify or repudiate; such as the theory
of the shadow on the moon being caused by rarity and density,
based upon Averroës, and a peculiar arrangement of the celestial
hierarchies, derived from the Moralia of St. Gregory the Great. And,
in the Purgatorio, the poet discards his “dread of infamy,” when he
dares not meet Beatrice’s gaze in the Garden of Eden; he casts
aside the allegorical veil he had tried to draw over a portion of the
past, and makes the full confession which we find in Cantos xxx. and
xxxi. In the fourth treatise, an erroneous sentence attributed to
Frederick II. (in reality a mutilated version of the definition of nobility
given by Aristotle in the Politics) leads Dante to examine the limits
and foundation of the imperial authority, the divine origin of Rome
and the universal dominion of the Roman people, the relation of
philosophy to government; a theme which he will work out more fully
and scientifically in the Monarchia. The result is two singularly
beautiful chapters (iv.-v.); a prose hymn to Rome, an idealised
history of the city and her empire. It is the first indication of the poet’s
conversion from the narrower political creed of the Florentine citizen
to the ideal imperialism which inspires his later works.
It has sometimes been held that portions of the Convivio were
written before exile. Nevertheless, while two of the canzoni were
composed before 1300, it seems most probable that the prose
commentaries took their present shape between Dante’s breaking
with his fellow-exiles and the advent of Henry VII. A passage
concerning Frederick II., “the last emperor of the Romans with
respect to the present time, although Rudolph and Adolph and Albert
were elected after his death and that of his descendants” (Conv. iv.
3), shows that the fourth treatise was written before the election of
Henry VII., in November 1308; while a reference to Gherardo da
Cammino, lord of Treviso (iv. 14), seems to have been written after
his death in March 1306. From the mention of Dante’s wanderings in
exile through so many regions of Italy (i. 3), it has sometimes been
argued that the first is later than the subsequent treatises. It is
tempting to associate the breaking off the work with Boccaccio’s
story of the recovery of the beginning of the Inferno. Be that as it
may, the advent of the new Caesar, Dante’s own return for a while to
political activity, probably interrupted his life of study; and, when the
storm passed away and left the poet disillusioned, his ideals had
changed, another world lay open to his gaze, and the Convivio was
finally abandoned.
 FOOTNOTES:
[10] Io spero di dicer di lei quello che mai non fue detto
d’alcuna: dicer (dire) and detta, have here (as elsewhere in
Dante) the sense of artistic utterance, and more particularly
composition in poetry, whether in Latin or the vernacular. Cf. V. N.
xxv.
[11] Livi has shown that the first documentary evidence of the
existence of the Vita Nuova as a book is found at Bologna in June
1306.
[12] The Sexcentenary Dante admits as authentic one canzone
not included in this series: Lo doloroso amor che mi conduce
(Rime lxviii., O. canz. xvi.*); which is evidently an early
composition.
[13] Cf. Rime xlviii., lvi., lxiii. and the later xcix.; O. son. xlviii.*,
ball. viii., son. I.*, son. xxxvii.*
[14] Note especially Rime lix., lxvi.; O. sonnets lv., xxxviii*.
[15] To this group I would assign the sonnet, Chi guarderà già
mai sanza paura, and the ballata, I’ mi son pargoletta bella e
nova, without attaching any special significance to the fact that
“pargoletta” (“maiden” or “young girl”) occurs also in the canzone,
Io son venuto al punto de la rota, and in Beatrice’s rebuke, Purg.
xxxi. 59.
[16] Cf. G. Livi, Dante suoi primi cultori sua gente in Bologna, p.
24.
[17] Barbi adds to the Rime written in exile the impressive
political sonnet, yearning for justice and peace, Se vedi li docchi
miei di pianger vaghi (of which the attribution to Dante has
sometimes been questioned), and the sonnet on Lisetta, Per
quella via che la bellezza corre, a beautiful piece of
unquestionable authenticity, but which may, perhaps, belong to an
earlier epoch in the poet’s life.
[18] But cf. Wicksteed, From Vita Nuova to Paradiso, pp. 93-
121.
 CHAPTER III
DANTE’S LATIN WORKS
1. The “De Vulgari Eloquentia”
In the first treatise of the Convivio (i. 5), Dante announces his
intention of making a book upon Volgare Eloquenza, artistic
utterance in the vernacular. Like the Convivio, the De Vulgari
Eloquentia remains incomplete; only two books, instead of four, were
written, and of these the second is not finished. In the first book the
poet seeks the highest form of the vernacular, a perfect and imperial
Italian language, to rule in unity and concord over all the dialects, as
the Roman Empire over all the nations; in the second book he was
proceeding to show how this illustrious vulgar tongue should be used
for the art of poetry. Villani’s description of the work applies only to
the first book: “Here, in strong and ornate Latin, and with fair
reasons, he reproves all the dialects of Italy”; Boccaccio’s mainly to
the second: “A little book in Latin prose, in which he intended to give
instruction, to whoso would receive it, concerning composition in
rhyme.”[19]
Book I.—At the outset Dante strikes a slightly different note from
that of the Convivio, by boldly asserting that vernacular in general
(as the natural speech of man) is nobler than “grammar,” literary
languages like Latin or Greek, which he regards as artificially formed
(V. E. i. 1). To discover the noblest form of the Italian vernacular, the
poet starts from the very origin of language itself. To man alone of
creatures has the intercourse of speech been given: speech, the
rational and sensible sign needed for the intercommunication of
ideas. Adam and his descendants spoke Hebrew until the confusion
of Babel (cf. the totally different theory in Par. xxvi. 124), after which
this sacred speech remained only with the children of Heber (i. 2-7).
From this point onwards the work becomes amazingly modern. Of
the threefold language brought to Europe after the dispersion, the
southernmost idiom has varied into three forms of vernacular speech
—the language of those who in affirmation say oc (Spanish and
Provençal), the language of oil (French), the language of sì (Italian).
[20] And this Italian vulgar tongue has itself varied into a number of
dialects, of which Dante distinguishes fourteen groups, none of
which represent the illustrious Italian language which he is seeking.
“He attacks,” wrote Mazzini, “all the Italian dialects, but it is because
he intends to found a language common to all Italy, to create a form
worthy of representing the national idea.” The Roman is worst of all
(i. 11). A certain ideal language was indeed employed by the poets
at the Sicilian court of Frederick and Manfred, but it was not the
Sicilian dialect (i. 12). The Tuscans speak a degraded vernacular,
although Guido Cavalcanti, Lapo Gianni and another Florentine
(Dante himself), and Cino da Pistoia have recognised the excellence
of the ideal vulgar tongue (i. 13). Bologna alone has a “locution
tempered to a laudable suavity”; but which, nevertheless, cannot be
the ideal language, or Guido Guinizelli and other Bolognese poets
would not have written their poems in a form of speech quite
different from the special dialect of their city (i. 15). “The illustrious,
cardinal, courtly, and curial vulgar tongue in Italy is that which
belongs to every Italian city, and yet seems to belong to none, and
by which all the local dialects of the Italians are measured, weighed,
and compared” (i. 16). This is that ideal Italian which has been
artistically developed by Cino and his friend (Dante himself) in their
canzoni, and which makes its familiars so glorious that “in the
sweetness of this glory we cast our exile behind our back” (V. E. i.
17). Such should be the language of the imperial Italian court of
justice, and, although as far as Italy is concerned there is no prince,
and that court is scattered in body, its members are united by the
gracious light of reason (i. 18). This standard language belongs to
the whole of Italy, and is called the Italian vernacular (latinum
vulgare); “for this has been used by the illustrious writers who have
written poetry in the vernacular throughout Italy, as Sicilians,
Apulians, Tuscans, natives of Romagna, and men of both the
Marches” (i. 19).