Dieses Semester wurde das Seminar vom Lehrstuhl für Netz- und Datensicherheit organisiert. Untenstehend finden Sie eine Liste der Termine und Vorträge für das ganze Semester.

Datum | Vortragende Person | Zugehörigkeit | Titel | Raumnummer | Beginn |
---|---|---|---|---|---|

07. April 2011 | Anja Becker | Université de Versailles, France | Improved Generic Algorithms for Hard Knapsacks | ID 03/445 | 11.00 Uhr |

07. April 2011 | Antoine Joux | Université de Versailles, France | Cover and Decomposition Index Calculus on Elliptic Curves made practical | ID 03/445 | 12.00 Uhr |

14. April 2011 | Mario Heiderich | Ruhr-Universität Bochum | The Image that called me - Security impact of Scalable Vector Graphics on the WWW | ID 03/411 | 12.00 Uhr |

05. Mai 2011 | Rainer Böhme | Uni Münster | Towards Insurable Networks | ID 03/411 | 12.00 Uhr |

12. Mai 2011 | Amir Moradi | Ruhr-Universität Bochum | Pushing the Limits: A Very Compact and a Threshold Implementation of AES | ID 03/411 | 12.00 Uhr |

09. Juni 2011 | Aydin Sezgin | Universität Ulm | Information Theoretic Secrecy in Broadcast Channels with Receiver Side Information | ID 03/411 | 12.00 Uhr |

01. Juli 2011 | Dennis Hofheinz | Karlsruher Institut für Technologie (KIT) | GNUC -- A New Universal Composability Framework | ID 04/401 | 11.00 Uhr |

06. Juli 2011 | Stefan Mangard | Infineon | The Challenge of Protecting Embedded Systems Against Physical Attacks | ID 04/471 | 14.30 Uhr |

# Improved Generic Algorithms for Hard Knapsacks

Anja Becker

At Eurocrypt 2010, Howgrave-Graham and Joux described an algorithm for solving hard knapsacks of density close to 1 in time O^~(2^{0.337n}) and memory O^~(2^{0.256n}), thereby improving a 30-year old algorithm by Shamir and Schroeppel. Our new technique allows us to get an algorithm with running time down to O^~(2^{0.291n}).

The knapsack instance is divided in two halves with possible overlap, as in the Howgrave-Graham--Joux algorithm, but the set of possible coefficients is extended from {0,1} to {-1,0,+1}. This means that a coefficient -1 in the first half can be compensated with a coefficient +1 in the second half, resulting in an coefficient 0 of the golden solution. To reveal the golden solution, we therefore search for one decomposition (out of many) of the solution by solving two knapsacks. Adding (a few) -1 coefficients brings an additional degree of freedom that enables to again decrease the running time. To explain the idea, we will have a look at a practical example.

# Cover and Decomposition Index Calculus on Elliptic Curves made practical

Antoine Joux

We present a new variant of cover and decomposition attacks on the elliptic curve discrete logarithm problem, that combines Weil descent and decomposition-based index calculus into a single discrete logarithm algorithm. This variant applies, at least theoretically, to all composite degree extension fields, and is particularly well-suited for curves defined over $F_{p6}$. We give a real-size example of discrete logarithm computations on a seemingly secure curve over a $130$-bit degree $6$ extension field.

# The Image that called me - Security impact of Scalable Vector Graphics on the WWW

Mario Heiderich

Scalable Vector Graphics are about to conquer the web. Unlike most of their raster based companions from the GIF, PNG and JPEG family, their vector based structure allows to display them on many different devices with various screen sizes without losing visual information. The open XML based SVG sources permit addition of meta data, helping even the visually impaired and blind to get the most out of these images. Additional modules, such as animations, events, SVG fonts, several scripting APIs and inclusion of hyper-links, other images and documents and even arbitrary content from cross-domain sources make SVG the perfect image format for the future WWW.

Nevertheless, a powerful standard such as SVG certainly poses a lot of risks. This presentation provides a close look at SVG from a security perspective. How can attackers abuse this mighty image format, which ways exist to execute script code and worse, and what should web developers and browser vendors consider when dealing with SVG. How will HTML5 change the way to work with SVGs and why does it matter for security professionals to know about things like SVG Tiny, in-line SVG, SVGz and other acronyms from a world where imaging and scripting collide? Besides many examples of malicious SVGs the talk will shed light on a novel filtering tool capable of filtering and sanitizing SVG images without loss of important content.

# Towards Insurable Networks

Rainer Böhme

The speaker summarizes his interdisciplinary research to employ actuarial risk models for the evaluation of system architectures with regard to their insurability. Insurability is argued to be a precondition for improving the resilience of distributed systems against catastrophic failures and malicious attacks. The talk introduces three obstacles that hinder the development of a market for cyber-insurance in practice: interdependence, correlated risk, and information asymmetries. Open research questions and possible ways to overcome these obstacles are discussed.

# Pushing the Limits: A Very Compact and a Threshold Implementation of AES

Amir Moradi

Our contribution is twofold: first we describe a very compact hardware implementation of AES-128, which requires only 2400 GE. This is to the best of our knowledge the smallest implementation reported so far. Then we apply the threshold countermeasure by Nikova et al. to the AES S-box and yield an implementation of the AES improving the level of resistance against first-order side-channel attacks. Our experimental results on real-world power traces show that although our implementation provides additional security, it is still susceptible to some sophisticated attacks having enough number of measurements.

# Information Theoretic Secrecy in Broadcast Channels with Receiver Side Information

Aydin Sezgin

The conventional way to achieve confidentiality is by using cryptographic encryption based on keys. While this approach has both it advantages and disadanvtages, the information theoretic approach can be regarded as a powerful alternative or as an additional level of protection to achieve security in wireless networks. This approach guarantees both reliability and security, which the other approach can not.

We utilize this approach in the study of secret communication for broadcast channels with two legitimate receivers and one eavesdropper. The transmitter sends two independent confidential messages to both legitimate receivers which have to be kept secret from the eavesdropper. Here, each receiver is interested in its own message having the other confidential message already as side information available. This problem arises for example in the broadcast phase of a bidirectional relaying network, where a relay node establishes a bidirectional communication between two nodes while keeping the communication secure from eavesdroppers outside the network. We provide inner and outer bounds on the secrecy capacity region. For the inner bound, the transmitter adds intentionally structural randomness in form of stochastic coding, effectively jamming the eavesdropper while guaranteeing that the desired users get the information reliably. The outer and inner bounds do not coincide, however they provide some interesting insights.

# GNUC -- A New Universal Composability Framework

Dennis Hofheinz

This talk presents GNUC, a framework for the design and analysis of multi-party protocols. Like the well-known Universal Composability (UC) framework, we offer a universal composition theorem, as well as a joint state composition theorem. However, we deviate from UC in several important aspects, like the structuring of protocols, corruptions, and polynomial runtime. We motivate our design choices by explaining why the corresponding definitions in the UC framework are problematic, and how we overcome these problems.

# The Challenge of Protecting Embedded Systems Against Physical Attacks

Stefan Mangard

During the last decades, embedded processors found their way into all kinds of devices. Today, many applications and even entire business models critically rely on embedded hardware and software. This leads to a strong need for security, which is often addressed by implementing cryptographic algorithms on the embedded systems. However, it is important to understand that cryptography relies on the secrecy of keys. When cryptographic keys are stored and handled by an embedded system, the keys can easily become a target of so-called physical attacks. The b asic idea of these attacks is to analyze and to manipulate physical properties of the system in order to reveal its key.

The protection against physical attacks in embedded systems is a vivid research area and a crucial topic for all developers of hardware and software with strong security requirements. This talk provides a brief introduction to physical attacks and it sketches the most important challenges for countermeasures. Based on concrete examples it shows why security has a significant impact on the entire development process - from the design of a single logical gate up to the software interface.