ABSTRACT. Software engineers and analysts traditionally focus on cyber systems as technical systems, which are built only from software processes, communication protocols, crypto algorithms, etc. They often neglect, or choose not, to consider the human user as a component of the system’s security as they lack the expertise to fully understand human factors and how they affect security. However, humans should not be designed out of the security loop. Instead, we must deal with security assurance as a true socio-technical problem rather than a mere technical one, and consider cyber systems as socio-technical systems with people at their hearts. The main goal of this talk is to advocate the use of formal methods to establish the security of socio-technical systems, and to discuss some of the most promising approaches, including those that I have helped develop.

ABSTRACT. Internet of things (IoT) systems consist of many devices that send their sensor data to cloud servers. Cryptographic authentication is essential for maintaining the consistency of these systems, and lightweight authentication in particular is required because most IoT devices are resource-constrained. Physically unclonable functions (PUF) are promising tools for protecting such devices from cyber-attacks. It can {\em naturally} generate a unique but noisy ({\em i.e.}, erroneous) key for a device without implementing costly secure key storage in the device. However, a costly error correction technique is required to remove the noise. In this paper, we propose a lightweight authentication scheme with a noisy key (i.e., an uncorrected key) {\em naturally} derived from a PUF. The security of our scheme is based on a combinatorial problem with small noise. We also discuss its security and feasibility.

ABSTRACT. The cube attack is a powerful cryptanalytic technique against stream ciphers. Cube attacks exploit the algebraic properties of symmetric ciphers by recovering a particular polynomial, the superpoly, and subsequently, the secret key. Nowadays, the division property based approach has become very popular, allowing us to recover the exact superpoly cleverly. However, the computational cost to recover the superpoly becomes prohibitive as the number of rounds of the cipher increases. In this paper, we study NIST lightweight 3rd round candidate Grain-128AEAD in the light of division property-based cube attacks. We first introduce some good cubes of dimensions 91, 92, 93, 94, and then we construct an algorithm to find conditional key bits for the cubes of Grain-128AEAD mentioned above. Next, we apply three subset division property-based cube attacks without unknown subsets to recover exact superpolies for 192, 193, 194, 195-round Grain-128AEAD in the weak-key setting, which are the longest till now. Moreover, we are able to find good cubes that are used to build distinguishers of Grain-128AEAD in the weak-key setting. In particular, we show that Grain-128AEAD can be distinguished from a random source up to 193-rounds in the weak-key setting, which is the best zero-sum distinguisher of Grain-128AEAD till now using division property-based cube attacks.

ABSTRACT. Attribute-Based Encryption is widely recognized as a leap forward in the field of public key encryption. It allows to enforce an access control on encrypted data. Decryption time in ABE schemes can be long depending on the number of attributes and pairing operations. This drawback hinders their adoption on a broader scale.

In this paper, we propose a non-monotone CP-ABE scheme that has no restrictions on the size of attribute sets and policies, allows fast decryption and is adaptively secure under the CBDH-3 assumption. To achieve this, we approached the problem from a new angle, namely using a set membership relation for access structure. We have implemented our scheme using the Java Pairing-Based Cryptography Library (JPBC) and the source code is available on GitHub.

ABSTRACT. Paillier cryptosystem is the building block of many cryptographic protocols. The secure keys generation without a trusted dealer is an essential scheme in a distributed system since the dealer may be under the threat of a single point of attack. We present a distributed keys generation scheme of the threshold Paillier’s encryption system using efficient multiparty computation. Our scheme consists of two offline and online phases where the offline phase can be implemented at any time well in advance of the computation phase. Both the public and the private keys are computed and verified in the presence of at least n ≥ t + 1 participants in the actual online phase. This gives an improvement on the previous studies where at least a number of 2t + 1 parties are required for the keys generation. Furthermore, the private communication complexity of our scheme is O(n2) field elements with no broadcast communication overhead which improves on the total communication complexity of [20]. Our protocol maintains the security against a static active adversary corrupting up to t participants with the small probability of error using message authentication codes. Also, the computed keys are t-private, i.e., any subset of equal or less than t parties cannot gain any information about the factorization of N.

ABSTRACT. Card-based cryptography realizes cryptographic tasks, such as secure computation, with a deck of physical cards. The primary research subjects for card-based cryptography are theoretical studies that, for example, propose efficient protocols regarding the number of required cards and procedures. However, almost all prior studies are based on the ideal physical assumption that the backs of all cards are indistinguishable without verification. This study addresses this assumption from a physical perspective to improve the security of card-based cryptography. In the first attempt, we assume a strong attacker who uses ink and a high-performance camera to distinguish the backs of the cards. We experimented with them and confirmed that such an attacker could identify the inked area of the back by analyzing an image captured by the camera. Based on our study, one can address another approach, such as using invisible oil and smartphone cameras to verify the physical assumption. This study is a seminal work that addresses this physical assumption. In addition to the verification, we study secret information that such a strong attacker can obtain during the execution of card-based protocols.

ABSTRACT. TBA

ABSTRACT. An increasing amount of Internet traffic has its content encrypted. We address the question of whether it is possible to predict the activities taking place over an encrypted channel, in particular Microsoft's Remote Desktop Protocol. We show that the presence of five typical activities can be detected with precision greater than 97% and recall greater than 94% in 30-second traces. We also show that the design of the protocol exposes fine-grained actions such as keystrokes and mouse movements which may be leveraged to reveal properties such as lengths of passwords.

ABSTRACT. Everyday usage of online Internet services and the recent rise of the Internet of Things (IoT) cause the collection of a massive amount of data, including personal and sensitive information. Anonymization enables providers to share their datasets and preserve the privacy of individuals at the same time. It is a valuable tool for preserving individuals' privacy in social network datasets and IoT environments. Researchers recently focused on developing a universal and robust anonymization method to keep privacy and preserve almost all data utility. Many various anonymization methods have been developed; however, none meet the requirements perfectly. The application-oriented anonymization has been recently discussed only for relational datasets. This paper introduces the framework for application-oriented anonymization for social network datasets and IoT environments. In our framework, it is not necessary to preserve all data utility but only the data utility specified by the data recipient. While requesting the anonymized social network data, the data receiver can specify the metrics that should be kept as close to the original graph as possible. While requesting anonymized data from the cloud in an IoT environment, the data receiver can prioritize attributes. It enables the data recipient to customize the anonymized data and the data provider to control the computing over their dataset. Moreover, we discuss the vulnerability of application-oriented anonymization to composition attacks.

ABSTRACT. The present work investigates a type of morphisms between encryption schemes, called bridges. By associating an encryption scheme to every such bridge, we define and examine their security. Inspired by the bootstrapping procedure used by Gentry to produce fully homomorphic encryption schemes, we exhibit a general recipe for the construction of bridges. Our main theorem asserts that the security of a bridge reduces to the security of the first encryption scheme together with a technical additional assumption.

ABSTRACT. In delegated computation research, the main problem asks how a computationally weaker client device can obtain help from one or more computationally stronger server devices to perform some computation. Desirable solution requirements include correctness of the computation, privacy of the inputs, high probability detection of any server malicious behavior, low client online runtime, low communication complexity, low client storage complexity, and minimal server trust.

In this paper we investigate the problem of single-server delegated computation of the encryption and decryption algorithms in the ubiquitously applied RSA public-key cryptosystem. Our contribution includes state-of-the-art summaries, the first delegated computation protocol for small-exponent RSA encryption, an improved delegated computation protocol for RSA decryption, and an analysis of the impact of both computation and communication to the client device energy, including an upper bound on the communication energy impact, which may be of independent interest.

ABSTRACT. The U.S. National Institute of Standards and Technology is currently undertaking a process to evaluate and eventually standardize one or more "lightweight" algorithms for authenticated encryption and hashing that are suitable for resource-restricted devices. In addition to security, this process takes into account the efficiency of the candidate algorithms in various hardware environments (e.g. FPGAs, ASICs) and software platforms (e.g. 8, 16, 32-bit microcontrollers). However, while there exist numerous detailed benchmarking results for 8-bit AVR and 32-bit ARM/RISC-V/ESP32 microcontrollers, relatively little is known about the candidates' efficiency on 16-bit platforms. In order to fill this gap, we present a performance evaluation of the final-round candidates Ascon, Schwaemm, TinyJambu, and Xoodyak on the MSP430 series of ultra-low-power 16-bit microcontrollers from Texas Instruments. All four algorithms were explicitly designed to achieve high performance in software and have further in common that the underlying primitive is a permutation. We discuss how these permutations can be implemented efficiently in Assembly language and analyze how basic design decisions impact their execution time on the MSP430 architecture. Our results show that, overall, Schwaemm is the fastest algorithm across various lengths of data and associated data, respectively. Xoodyak has benefits when large amounts of associated data are processed, whereas Ascon is relatively efficient for short data (resp. associated data) lengths.

ABSTRACT. Vulnerable source code in software applications is causing paramount reliability and security issues. Software security principles should be integrated to reduce these issues at the early stages of the development lifecycle. Artificial Intelligence (AI) could be applied to detect vulnerabilities in source code. In this research, a Machine Learning (ML) based method is proposed to detect source code vulnerabilities in C/C++ applications. Furthermore, Explainable AI (XAI) was applied to support developers in identifying vulnerable source code tokens and understanding their causes. The proposed model can detect whether the code is vulnerable or not in binary classification with 0.96 F1-Score. In case of vulnerability type detection, a multi-class classification based on CWE-ID, the model achieved 0.85 F1-Score. Several ML classifiers were tested, and the Random Forest (RF) and Extreme Gradient Boosting (XGB) performed well in binary and multi-class approaches respectively. Since the model is trained on a dataset containing actual source codes, the model is highly generalizable. Furthermore, the model is integrated with a live web portal to provide comprehensive developer support to enhance the security of the source code.

ABSTRACT. The study of symmetric structures based on quasigroups is relatively new and certain gaps can be found in the literature. In this paper, we want to fill one of these gaps. More precisely, in this work we study substitution permutation networks based on quasigroups that make use of permutation layers that are non-linear relative to the quasigroup operation. We prove that for quasigroups isotopic with a group $\mathbb{G}$, the complexity of mounting a differential attack against this type of substitution permutation network is the same as attacking another symmetric structure based on $\mathbb{G}$. The resulting structure is interesting and new, and we hope that it will form the basis for future secure block ciphers.