Summer School Talks

Many important proof techniques used in the are of provable security, however, did not originally consider attackers that are able to run quantum attacks, with an important example being random oracle techniques. To be able to reason about post-quantum security, it is necessary to adapt the provable security toolkit. In this session, I will give a short introduction into security proofs and the random oracle model, including examples related to NIST's post-quantum standardisation effort, and give examples how pre-quantum reasoning can be adapted such that it still works even if quantum attackers are added to the picture.

In this lecture, we will give an overview of the Number Field Sieve algorithm, which is the best known algorithm for these settings. We will then focus on recent advances in the p^k case, where tools from lattice theory come to the rescue to speed-up the computations.

In this talk, we will see how to design secure electronic voting protocols and how to analyze them using formal methods, in order to detect attacks at an early stage, or prove security. This yielded several enhancements of ProVerif, a state-of-the-art tool for analyzing security protocols.

For the code-based McEliece cryptosystem, we show that roughly 1/4 of its secret key is sufficient to recover the remaining information in polynomial time. For currently proposed security parameters such a secret key recovery requires at most 5 mins on a laptop.

For lattice-based LWE-type schemes, we show that a certain amount of so-called hints, which are inner products of the secret key with some random known vector, also lead to efficient full secret key recovery via LLL lattice reduction.

Matrix has seen wide adoption across the private and public sectors. It is used in operation (to varying degrees) by governmental organisations in Germany, France, Sweden and Luxembourg. Matrix is a popular choice within the free and open-source software ecosystem, with Mozilla, KDE and the FOSDEM 2022 conference all using the standard for communication. Overall, Matrix reportedly has over 80 million users and Matrix is currently being discussed by the More Instant Messaging Interoperability (MIMI) IETF working group that will specify a set of mechanisms to make messaging applications interoperable.

This talk will cover several practically-exploitable cryptographic vulnerabilities in Matrix, originally reported last autumn. These, together, invalidated the confidentiality and authentication guarantees claimed by Matrix against a malicious server. Most of these vulnerabilities have since been fixed.

Together, these vulnerabilities highlight the need for a systematic and formal analysis of the cryptography in the Matrix standard.

This talk is based on joint work with Sofía Celi (Brave Software), Benjamin Dowling (Security of Advanced Systems Group, University of Sheffield) and Daniel Jones (Information Security Group, Royal Holloway, University of London). See https://nebuchadnezzar-megolm.github.io/ for the paper.

Examining the underlying protocols, we find that many secure messaging schemes used bespoke cryptographic protocols to achieve end-to-end encryption, and that these designs are often introduced, implemented and adopted without formal analysis. The outcome of this approach has been played out in recent years: high-profile and devastating attacks against the cryptography used in Telegram, Matrix and Threema.

In this talk we discuss a methodology for analysing the cryptographic security of secure messaging protocols, using the Matrix standard as a case study. We highlight the process of abstracting and formalising a secure messaging scheme, and specifying the underlying protocol. We define a threat model and formally describe security properties, and finally analyse the scheme itself.

This talk is based on joint work with Martin Albrecht (King's College London) and Daniel Jones (Information Security Group, Royal Holloway, University of London).

As any delay in the transition to this new standard could have severe consequences for security critical use cases which require certified hardened designs, e.g., payment or automotive, the industrial and academic communities are actively investigating and solving issues that could arise.

In this session I will talk about real-world use cases related to PQC, such as integrating into secure boot and secure update protocols, the impact of PQC on very memory-constrained devices, re-using existing hardware and developing countermeasures against side-channel attacks.

In this session, we try to take a different perspective at computer security. Letting go of the technologists' view, we approach security as an effect of care-drive system and network engineering. Starting from the human-factors driven challenge of simple mistakes--security misconfigurations--we reflect on the role of digital infrastructure in our society, and what it means for systems to be secure, privacy preserving, and ultimately safe. We explore how socio-economic interaction effects influence approaches to security and privacy, and take a look at the conundrum between digital infrastructures' increasing centralization, infrastructural power, privacy and security.

From this reflection on security, privacy, and digital infrastructures, we then converge on the ultimate question in the realm of computer science in our time: "Do we care to care for secure and dependable digital infrastructure, that cares for us?"

Cryptography is a beautiful branch of mathematics with a nice goal of providing information security. To be useful in practical applications, the algorithms run on hardware or software, with software ultimately running also on hardware processors. This presentation covers multiple topics that link hardware design and cryptography.

The presentation aims to link the mathematical goals of security and privacy with the challenges of hardware realizations. These challenges are multifold.

A very nice aspect of cryptography is that it reduces what must be secret to the keys, while the algorithm can be publicly known. The hardware is responsible for keeping the key(s) secret. Side-channel, fault attacks, and other physical attacks make this a challenging task.

Provable Secure mathematical countermeasures against physical attacks rely on models to abstract how the hardware behaves. Unfortunately, the models are often the weak link between theory and practice. As a result, many ‘provable-secure’ implementations are still broken in practice.

Circuit designers learn how to optimize for area, throughput, latency, power, and energy. These are the classical optimization goals. The elephant in the room is that the implementations also need to resist attacks. Countermeasures to resist timing, side-channel, fault, micro-architectural and other attacks can have a huge implementation cost which adds an extra design dimension.

As a last topic, hardware provides the means to accelerate the computationally demanding operations of cryptography. The most recent example is the realization of a new generation of post-quantum algorithms, and acceleration of fully homomorphic encryption.

Through an exploration of past network generations (2G-5G), we will examine past security breaches and privacy violations that occurred, while highlighting the advancements made in response to these threats. I will showcase findings of our research, including 5G SUPI/SUCI catching and public warning system attacks, which shed light on various ways in which user localization and message integrity can be compromised. For instance, I will reveal how encrypted SUCIs fail to fully prevent user tracking, although they prevent an attacker from deriving a user’s identity. Furthermore, we will discuss current efforts aimed at testing the security of 5G user equipment. Finally, we will take a glimpse into the future of 6G networks and discuss the most likely security challenges that will arise, as well as security advancements needed in order to meet these challenges.

In the second part of the presentation, we focus on combination of fault attack with power attacks. We demonstrate one of the first practical combined attacks (laser + power) on bit permutation based ciphers like PRESENT and GIFT as well as on widely used redundancy countermeasure. The attack methodology can be further adapted to perform deep round attacks on algorithms like AES. The power of combined side-channel and fault attacks is further shown to evaluate advanced countermeasures like DOMREP, which individually provides side-channel and fault protection of arbitrary order. We show that higher order masking of DOMREP can leak at first order in presence of faults.

We will also discuss the security problems of automotive radar, where we will show how easily radio frequency radar signals can be manipulated to fake distances and velocities, compromising the safety of the vehicle and passengers. We will see how even with cryptographic primitives, the challenges to securing positioning, navigation, and timing technologies is no trivial task. The talk will aim to highlight the fundamental limits that exist in securing current technologies and a call for designing secure alternatives.

This talk will survey these use cases and relevant techniques, with particular attention to the connections and boundaries between them. We'll also discuss practical issues in applying these techniques to real applications, and instantiating these trust models in the real world.