Talks

Summer School Talks

Here are the currently confirmed summer school talks!

Recent advances in computing discrete logarithms in finite fields
Speaker: Pierrick Gaudry
Abstract: The discrete logarithm problem in finite fields is the basis of the security of many deployed cryptographic products. Prime fields (of the form Z/pZ, for a prime p) are frequently used, and in the realm of pairing-friendly elliptic curves, fields of cardinality p^k are involved, where k is around 10.

In this lecture, we will give an overview of the Number Field Sieve algorithm, which is the best known algorithm for these settings. We will then focus on recent advances in the p^k case, where tools from lattice theory come to the rescue to speed-up the computations.

Formal verification of electronic voting systems
Speaker: Véronique Cortier
Abstract: Electronic voting aims at guaranteeing apparently conflicting properties: no one should know how I voted and yet, I should be able to check that my vote has been properly counted. Electronic voting belongs to the large family of security protocols, that aim at securing communications against powerful adversaries that may read, block, and modify messages.

In this talk, we will see how to design secure electronic voting protocols and how to analyze them using formal methods, in order to detect attacks at an early stage, or prove security. This yielded several enhancements of ProVerif, a state-of-the-art tool for analyzing security protocols.

Secret Key Recovery from Partial Information in the Pre- and Post-Quantum World
Speaker: Alexander May
Abstract: Some cryptographic schemes, like RSA, have the remarkable property that partial leakage of their secret key leads to efficient full secret key recovery (in polynomial time). In this talk, we question the common belief that modern post-quantum schemes are widely resistant to full secret key recovery from partial information.

For the code-based McEliece cryptosystem, we show that roughly 1/4 of its secret key is sufficient to recover the remaining information in polynomial time. For currently proposed security parameters such a secret key recovery requires at most 5 mins on a laptop.

For lattice-based LWE-type schemes, we show that a certain amount of so-called hints, which are inner products of the secret key with some random known vector, also lead to efficient full secret key recovery via LLL lattice reduction.

Six Attacks on Matrix
Speaker: Martin Albrecht
Abstract: Matrix is an open standard for interoperable, federated, real-time communication over the Internet. In particular, the specification defines a federated communication protocol allowing clients, with accounts on different Matrix servers, to exchange messages across the entire ecosystem.

Matrix has seen wide adoption across the private and public sectors. It is used in operation (to varying degrees) by governmental organisations in Germany, France, Sweden and Luxembourg. Matrix is a popular choice within the free and open-source software ecosystem, with Mozilla, KDE and the FOSDEM 2022 conference all using the standard for communication. Overall, Matrix reportedly has over 80 million users and Matrix is currently being discussed by the More Instant Messaging Interoperability (MIMI) IETF working group that will specify a set of mechanisms to make messaging applications interoperable.

This talk will cover several practically-exploitable cryptographic vulnerabilities in Matrix, originally reported last autumn. These, together, invalidated the conﬁdentiality and authentication guarantees claimed by Matrix against a malicious server. Most of these vulnerabilities have since been fixed.

Together, these vulnerabilities highlight the need for a systematic and formal analysis of the cryptography in the Matrix standard.

This talk is based on joint work with Sofía Celi (Brave Software), Benjamin Dowling (Security of Advanced Systems Group, University of Sheffield) and Daniel Jones (Information Security Group, Royal Holloway, University of London). See https://nebuchadnezzar-megolm.github.io/ for the paper.

Formally Analysing Secure Messaging
Speaker: Benjamin Dowling
Abstract: The last decade has seen the rapid adoption and widespread use of secure messaging schemes: chat applications that enable end-to-end encryption between two or more parties. These services are integrated into our personal and professional lives, and even used for highly sensitive and confidential communication. WhatsApp alone claims two billion active users and is used across government departments within the UK, Telegram half a billion active users, and Matrix is used across the public sector within the EU.

Examining the underlying protocols, we find that many secure messaging schemes used bespoke cryptographic protocols to achieve end-to-end encryption, and that these designs are often introduced, implemented and adopted without formal analysis. The outcome of this approach has been played out in recent years: high-profile and devastating attacks against the cryptography used in Telegram, Matrix and Threema.

In this talk we discuss a methodology for analysing the cryptographic security of secure messaging protocols, using the Matrix standard as a case study. We highlight the process of abstracting and formalising a secure messaging scheme, and specifying the underlying protocol. We define a threat model and formally describe security properties, and finally analyse the scheme itself.

This talk is based on joint work with Martin Albrecht (King's College London) and Daniel Jones (Information Security Group, Royal Holloway, University of London).

Computer Security: An effect, not a goal
Speaker:Tobias Fiebig
Abstract: Building secure digital infrastructure is often seen as the ultimate goal of the field of computer security. As researchers, we do our best to contribute to this goal, and develop new technology focused at securing existing and future systems; From the hardware layer, over cryptography, operating systems, and systems' security, to network security, intrusion detection, and ultimately usable security and privacy.

In this session, we try to take a different perspective at computer security. Letting go of the technologists' view, we approach security as an effect of care-drive system and network engineering. Starting from the human-factors driven challenge of simple mistakes--security misconfigurations--we reflect on the role of digital infrastructure in our society, and what it means for systems to be secure, privacy preserving, and ultimately safe. We explore how socio-economic interaction effects influence approaches to security and privacy, and take a look at the conundrum between digital infrastructures' increasing centralization, infrastructural power, privacy and security.

From this reflection on security, privacy, and digital infrastructures, we then converge on the ultimate question in the realm of computer science in our time: "Do we care to care for secure and dependable digital infrastructure, that cares for us?"