HGI Colloquium
During term-time the institute hosts various talks on current topics of IT security within the HGI Colloquium. The Chairs of the Institute take turns in organizing these seminar series, which is open to all interested parties. External guests are always welcome. By subscribing to the HGI-Newsletter you will receive an according announcement (subscribe)
Unless otherwise stated, the Colloquium will take place every week on Thursday at 11am, room ID 04/413.
Getting to the Ruhr-University
For information on how to get to the university, please, refer to our contact link.
This semester the HGI Kolloquium is organized by the Chair for Systems Security (SysSec). Below is a list of scheduled events and lectures for the whole semester. Unless otherwise announced, all talks will take place on Thursday at 11:00 sharp.
| Date | Speaker | Affiliation | Topic | Room | Time |
|---|---|---|---|---|---|
| 25.04.2013 | Oliver Mischke | RUB | Masking the AES Sbox - Implementation Aspects and Side-Channel Analysis | ID 04/413 | 11.00 Uhr |
| 02.05.2013 | Michael Schneider | TU Darmstadt | Challenges in Lattice-Based Cryptography | ID 04/413 | 11.00 Uhr |
| 16.05.2013 | Douglas Stebila | Queensland University of Technology | Double-authentication-preventing signatures | ID 04/413 | 11.00 Uhr |
| 20.06.2013 | Kenny Paterson | Royal Holloway College, University of London | TLS Security - Where Do We Stand? | ID 04/413 | 11.00 Uhr |
| 27.06.2013 | Johann Heyszl | Fraunhofer AISEC | TBA | ID 04/413 | 11.00 Uhr |
Masking the AES Sbox - Implementation Aspects and Side-Channel Analysis
While in todays world most cryptographic algorithm are secure from a mathematical point of view considering a black-box scenario, the implementations of many of them can easily be broken if attacked by side-channel analysis (SCA). This talk will focus on the security of a masked AES Sbox, using the masking scheme of Canright as a case study. While it should in theory be able to resist against a certain type of SCA, glitches in the underlying hardware circuit cause an exploitable leakage. Different methods to increase the resistance of the implementation against power analysis attackes are analyzed and compared. First we will add shuffling as a hiding-based countermeasure and evaluate how it complements the chosen masking scheme. Second we will present a new implementation technique which utilizes the special way FPGA elements are constructed to minimize or completely eliminate the effect of glitches.
Challenges in Lattice-Based Cryptography
Lattice-based cryptography is one of the most promising candidates for future cryptography. The security of lattice-based schemes relies on the hardness of lattice problems that remain secure even in the presence of large-scale quantum computers. But so far, lattice-based cryptosystems come with a few issues that have to be addressed before a real-world rollout can take place.
In the area of cryptanalysis, there is still no common approach of assessing the practical security of lattice-based schemes. In addition, there are new heuristic improvements to the strongest algorithms for cryptanalysis that have to be taken into account.
From the implementation point of view, lattice-based schemes are supposed to be easy to implement. They only apply simple operations like matrix or polynomial multiplication and addition. A closer look reveals the necessity to implement these operations in a fast and clever manner, in order to make the schemes comparable to classical cryptosystems.
We give an overview of the challenges in both areas, cryptanalysis as well as practical implementations.
Double-authentication-preventing signatures
Digital signatures are often used by trusted authorities to make unique bindings between a subject and a digital object; for example, certificate authorities certify a public key belongs to a domain name, and time-stamping authorities certify that a certain piece of information existed at a certain time. Traditional digital signature schemes however impose no uniqueness conditions, so a malicious or coerced authority can make multiple certifications for the same subject but different objects. We propose the notion of a double-authentication-preventing signature, in which a value to be signed is split into two parts: a subject and a message. If a signer ever signs two different messages for the same subject, enough information is revealed to allow anyone to compute valid signatures on behalf of the signer. This double-signature forgeability property prevents, or at least strongly discourages, signers misbehaving. We give a generic construction using a new type of trapdoor functions with extractability properties, which we show can be instantiated using quadratic residues modulo a Blum integer.
TLS Security - Where Do We Stand?
TLS is the de facto secure protocol of choice on the Internet. In this talk, I'll give an overview of the state-of-the-art of TLS security, focusing mostly on the TLS Record Protocol which is responsible for providing the basic secure channel functionality in TLS. I'll focus on recently-discovered vulnerabilities in the TLS specification and its cryptographic algorithms. These lead to plaintext recovery attacks against TLS-protected traffic. I will reflect on why the deployment of secure cryptography is seemingly so hard, and what the barriers are to adopting better approaches than the current techniques used in TLS.
TBA
To be announced.