Many network middleboxes have been deployed to perform deep packet inspection (DPI) over packet payloads. However, such middleboxes cannot accomplish their tasks when the traffic is encrypted. BlindBox (SIGCOMM 2015) provided the first solution for performing DPI over encrypted traffic. To improve its efficiency, a later proposal PrivDPI (CCS 2019) introduced a practical technique to generate encrypted rules. However, a recent proposal P2DPI (ASIACCS 2021) showed that the rule generator in PrivDPI can comprise the user's privacy. In this article, we present a new attack on P2DPI and show that the privacy of its endpoints can still be compromised by the rule generator. We comprehensively analyze the vulnerability of prior studies and present PrivBox, a new DPI system that achieves the same privacy guarantee as BlindBox while maintaining practical efficiency. This is based on a new technique called dual double-masking obfuscated rule generation. For a ruleset of 3,000, PrivBox achieves connection establishment time on the endpoint side comparable to PrivDPI and supports up to 4,672 token encryptions per second, which is sufficient for a number of real-world applications. Overall, our experiment demonstrates that PrivBox is practical and well-suited for short, frequently established sessions, especially when token repeating is common.

Using cloud-based storage service, users can remotely store their data to clouds but also enjoy the high quality data retrieval services, without the tedious and cumbersome local data storage and maintenance. However, the sole storage service cannot satisfy all desirable requirements of users. Over the last decade, privacy-preserving search over encrypted cloud data has been a meaningful and practical research topic for outsourced data security. The fact of remote cloud storage service that users cannot have full physical possession of their data makes the privacy data search a formidable mission. A naive solution is to delegate a trusted party to access the stored data and fulfill a search task. This, nevertheless, does not scale well in practice as the fully data access may easily yield harm for user privacy. To securely introduce an effective solution, we should guarantee the privacy of search contents, i.e., what a user wants to search, and return results, i.e., what a server returns to the user. Furthermore, we also need to guarantee privacy for the outsourced data, and bring no additional local search burden to user. In this paper, we design a novel privacy-preserving functional encryption-based search mechanism over encrypted cloud data. A major advantage of our new primitive compared with the existing public key based search systems is that it supports an extreme expressive search mode, regular language search. Our security and performance analysis show that the proposed system is provably secure and more efficient than some searchable systems with high expressiveness.