Summer School
June 17–21, 2019

Šibenik, Croatia
   Summer School
   on real-world crypto and privacy

List of currently confirmed speakers:

  • Sadia Afroz, UC Berkeley, USA

  • Karthikeyan Bhargavan, INRIA (Paris), France

  • Joan Daemen, Radboud University, The Netherlands
  • Title: What makes a cipher efficient? Design choices and relevant metrics
    Abstract: In the last 25 years of the 20th century, mainstream block cipher research was focused on the design and analysis of the non-linear component in these ciphers: the S-boxes. These were seen as the single security-determining component in a block cipher. After the standardization of Rijndael as AES, the community shifted its attention to MDS mappings, mostly attempting to build MDS (or near-MDS) mappings with the lowest possible implementation cost. In the 21st century we have seen an explosion of new block ciphers, most of them borrowing building blocks and design approaches from older designs. Additionally, due to the success of the sponge and duplex constructions multiple research teams have been designing their own cryptographic permutation.

    So we are now confronted with a wide variety of block ciphers and permutations on the one hand, and a large amount of attack techniques on the other. What the vast majority of these ciphers share is that they are iterative: they consist of the repeated application of a round function. When choosing the number of rounds, one estimates the number of rounds required to provide resistant against the best known attack and one adds some rounds as a safety margin. The choice of the number of rounds is essential to strike a good compromise between efficiency and safety margin.

    Given a round function, choosing the number of rounds requires a good understanding of cryptanalysis. However, the design choices made before doing this analysis have a dramatic impact on the applicability of types of cryptanalysis. I will discuss these choices for round functions that have as non-linear step an S-box layer, often (incorrectly) called substitution-permutation networks (SPN). These choices are mainly the S-box width, state layout and alignment. To reason about these design choices, we introduce metrics for the linear part of the round function that allow to quantify its relevant properties with respect to known types of cryptanalysis.

  • Daniel Gruss, TU Graz, Austria
  • (Talk 1) Title: Introduction to Microarchitectural Attacks
    Abstract: In this talk we will learn how to build basic microarchitectural attacks. This includes side-channel attacks like Flush+Reload on the cache, and fault attacks like Rowhammer on the DRAM. We will gain a deep understanding of how these basic techniques work and see how they can be applied in more complex attacks. Some of these attacks are transient execution attacks, such as Meltdown, Spectre, and Foreshadow. We will discuss defenses against microarchitectural attacks and see which building blocks they aim to break. Yet, we will find that some attacks are not yet mitigated and several challenges around microarchitectural attacks and defenses remain unsolved, leaving an open field for future research.

    (Talk 2) Title: Transient Execution Attacks
    Abstract:In this talk we will deepen our understanding of transient execution attacks and defenses. We will discuss the differences between all the Spectre variants in terms of microarchitectural (prediction) elements, the attacker model, and the attack strategy. We will discuss blank spots that we should look at in the future.

    With this knowledge we are prepared to discuss which defenses against transient execution attacks are effective. We will see that there are good defenses, but most are neither effective nor efficient. Finally we will discuss how future defenses should be designed.

  • Seda Gürses, KU Leuven, Belgium

  • Annelie Heuser, CNRS (IRISA), France
  • (Talk 1) Title: Introduction to Profiled Side-channel Attacks
    Abstract:In this talk, we will learn about side-channel analysis of embedded devices and recap classical profiled side-channel attacks. Nowadays, embedded devices are often performing security, privacy, and/or security-critical tasks. In this talk, we show how to reveal sensitive information using power consumption or electromagnetic emanation even when protected with cryptographic primitives. Special attention will be given to profiled attacks, where the assumption is made that an attacker is able to retrieve additional information in a learning phase from a similar device like the one under attack. We will detail classical profiled side-channel attacks as the template attacks and the stochastic approach using practical examples.

    (Talk 2) Title: Recent advances in side-channel analysis using machine learning techniques
    Abstract: The core problem faced in side-channel analysis can be translated into common problems given in classical tasks for machine learning. It is therefore natural to use and exploit standard machine learning techniques to reveal sensitive data using side-channel information.

    In this talk, we will discuss recent advances made in the field of side-channel analysis using machine learning and deep learning techniques. This includes reshaping the underlying side-channel scenario with semi-supervised techniques, discussing evaluation metrics, and enhancing side-channel classification techniques.

  • Andreas Hülsing, TU Eindhoven, The Netherlands
  • (Talk 1) Title: Introduction to the theory of secret key cryptography
    Abstract: This lecture will revisit the basic primitives in secret key cryptography: secret key encryption, cryptographic hash functions, pseudorandom functions and message authentication codes. The lecture will cover the most relevant security notions and generic constructions.

    (Talk 2) Title: Hash functions in a post-quantum world
    Abstract:This talk will discuss several aspects of the theory of cryptographic hash functions that suddenly change when considering adversaries equipped with a quantum computer. For example, previous results on the conventional hardness of certain security properties do not apply or conventional security properties might not be sufficient anymore. The talk will cover bounds on the quantum hardness of traditional hash function properties as well as new quantum-security properties for hash-functions. Afterwards, the talk will move on to a new conventional security notion for hash functions that is motivated by applications in the post-quantum world.

  • Tibor Jager, Paderborn University, Germany
  • (Talk 1) Title: Real-World AKE
    Abstract: TBA

    (Talk 2) Title: Public-key 0-RTT protocols
    Abstract: TBA

  • Elif Bilge Kavun, The University of Sheffield, UK

  • Engin Kirda, Northeastern University, USA
  • (Talk 1) Title: Selected Topics in Web Security
    Abstract: TBA

    (Talk 2) Title: Advanced Malware: Attacks, Defenses, and Open Challenges
    Abstract: TBA

  • Anja Lehmann, IBM Research, Switzerland
  • (Talk 1) Title: Updatable Encryption & Key Rotation
    Abstract: TBA

    (Talk 2) Title: Group Signatures - Concepts, New Advances and Applications
    Abstract: TBA

  • Emmanuel Prouff, ANSSI, France
  • Title: Deep Learning for Embedded Security Evaluation
    Abstract: To provide insurance on the resistance of a system against side-channel analysis, several national or private schemes are today promoting an evaluation strategy, common in classical cryptography, which is focussing on the most powerful adversary who may train to learn about the dependency between the device behaviour and the sensitive data values. Several works have shown that this kind of analysis, known as Template Attacks in the side-channel domain, can be rephrased as a classical Machine Learning classification problem with learning phase. Following the current trend in the latter area, recent works have demonstrated that deep learning algorithms were very efficient to conduct security evaluations of embedded systems and had many advantages compared to the other methods. During the proposed presentation, I will come back on these recent works and will identify some avenues for further research on this topic.

  • Mariana Raykova, Yale University, USA

  • Patrick Schaumont, Virginia Tech, USA
  • Title: Hardware Acceleration in Cryptography
    Abstract: Although the bulk of information security is driven by software, the hardware implementation of cryptography can still be essential to meet performance and energy efficiency constraints. The specialized structures of a hardware implementation lead to highly energy-efficient design. This improves the battery life of mobile applications, and it reduces the power consumption of high-performance cloud applications.

    The objective of hardware-accelerated cryptography is to integrate specialized hardware seamlessly into a system application with minimal overhead. Additional considerations include proper isolation of hardware-based secrets from unauthorized access, as well as the protection of those secrets against specific hardware attacks.

    We discuss various form factors for hardware/software interfaces that integrate hardware crypto modules into the system software. We describe loosely-coupled memory-mapped structures and tightly-coupled custom-instructions. Next, we discuss techniques that are used to transform sequential algorithms into parallel architectures, and we consider the application of those techniques to the hardware acceleration of cryptography.

    Throughout the talk, we illustrate the design concepts with examples of hardware acceleration of secret-key and public-key cryptography.

  • Benjamin Smith, INRIA and École Polytechnique, France

  • Juraj Somorovsky, Ruhr-Universität Bochum, Germany
  • (Talk 1) Title: Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities
    Abstract: The TLS protocol provides encryption, data integrity, and authentication on the modern Internet. Despite the protocol's importance, currently-deployed TLS versions use obsolete cryptographic algorithms which have been broken using various attacks. One prominent class of such attacks is CBC padding oracle attacks. These attacks allow an adversary to decrypt TLS traffic by observing different server behaviors which depend on the validity of CBC padding.

    We present the first large-scale scan for CBC padding oracle vulnerabilities in TLS implementations on the modern Internet. Our scan revealed vulnerabilities in 1.83 of the Alexa Top Million websites, detecting nearly 100 different vulnerabilities. Our scanner observes subtle differences in server behavior, such as responding with different TLS alerts, or with different TCP header flags.

    We used a novel scanning methodology consisting of three steps. First, we created a large set of probes that detect vulnerabilities at a considerable scanning cost. We then reduced the number of probes using a preliminary scan, such that a smaller set of probes has the same detection rate but is small enough to be used in large-scale scans. Finally, we used the reduced set to scan at scale, and clustered our findings with a novel approach using graph drawing algorithms.

    Contrary to common wisdom, exploiting CBC padding oracles does not necessarily require performing precise timing measurements. We detected vulnerabilities that can be exploited simply by observing the content of different server responses. These vulnerabilities pose a significantly larger threat in practice than previously assumed.

    The talk is based on our papers published at USENIX Security 2018 and 2019.

    (Talk 2) Title: Efail attack and its implications
    Abstract: OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails. We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption. The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker.

    We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.

    In addition to the attacks on encryption schemes in OpenPGP and S/MIME, we give an overview of our current work targetting email signatures. We present several techniques to spoof signed emails on different levels.

    The talk is based on our papers published at USENIX Security 2018 and 2019.

  • Gilles Van Assche, STMicroelectronics, Belgium
  • Title: Overview of the sponge, duplex and Farfalle constructions
    Abstract: In this presentation, we introduce the sponge construction that allows one to build an extendable output function (XOF) from a cryptographic permutation. Starting from this point, we then explore different variants along two axes. On the first axis, we highlight the differences in security when used for hashing (unkeyed) or for encryption and authentication (keyed). And on the second axis, we show how to add incremental input properties, using the duplex constructions and variants. We also set the stage with the indifferentiability and the indistinguishability frameworks for unkeyed and keyed applications, respectively. Finally, we explore the permutation-based Farfalle construction as a way to build an efficient deck function from permutation components.

  • Ingrid Verbauwhede, KU Leuven, Belgium