Dieses Semester wurde das Seminar vom Lehrstuhl für Kryptologie & IT-Sicherheit organisiert. Untenstehend finden Sie eine Liste der Termine und Vorträge für das ganze Semester.

Datum | Vortragende Person | Zugehörigkeit | Titel | Raumnummer | Beginn |
---|---|---|---|---|---|

7. Mai 2012 | Michael Bailey | University of Michigan | A Personal Reflection on the Past, Present, and Future of Internet Threats | TBA | 11.00 Uhr |

10. Mai 2012 | Javier Herranz | Universitat Politècnica de Catalunya | Restricted Adaptive Oblivious Transfer | ID 04/653 | 11.00 Uhr |

16. Mai 2012 | Lubos Gaspar | Jean Monnet University | Symmetric-key crypto-processor and crypto-coprocessor systems with secure key management | ID 04/653 | 11.00 Uhr |

24. Mai 2012 | Markus Dürmuth | Ruhr-Universität Bochum | CANCELED | ID 04/653 | 11.00 Uhr |

31. Mai 2012 | Yuto Nakano | KDDI Labs | Analysis of Message Injection in Stream Cipher-Based Hash Functions | ID 04/653 | 11.00 Uhr |

15. Juni 2012 | Graham Steel | INRIA | "Million Message Attack" in 15 000 Messages, or Efficient Padding Oracle Attacks on Cryptographic Hardware | ID 03/653 | 11:00 Uhr |

21. Juni 2012 | Stephanie Bayer | University College London | Efficient Zero-Knowledge Argument for Correctness of a Shuffle | ID 04/653 | 11.00 Uhr |

28. Juni 2012 | Foteini Baldimtsi | Brown University | On The Security of One-Witness Blind Signature Schemes | ID 04/653 | 11.00 Uhr |

05. Juli 2012 | Christian Schneider | Technische Universität München | Bridging the Semantic Gap for Virtual Machine Introspection | ID 04/653 | 11.00 Uhr |

CANCELED | Enrico Thomae | Ruhr-Universität Bochum | Formal Concept Analysis and its relation to structured systems of multivariate quadratic equations | ID 04/653 | 11.00 Uhr |

# A Personal Reflection on the Past, Present, and Future of Internet Threats

|Michael Bailey| Michael Bailey

Over the last 10 years, the Internet has become increasingly intertwined in the economic, political, and social fabric of our societies. Despite its immense social importance, the Internet has proven remarkably susceptible to disruption, corruption, and manipulation, through such diverse threats as worms, botnets, phishing, distributed denial of service attacks, and spam. In this talk I reflect on the evolution of Internet threats from the perspective of my work and the work of out network and security group at the University of Michigan. As a detailed example, I will briefly highlight our work in analyzing malware and our efforts to use this intelligence and other sources of information to detect and mitigate Internet threats.

# Restricted Adaptive Oblivious Transfer

|Javier Herranz| Javier Herranz

In this talk we consider the following primitive, that we call restricted adaptive oblivious transfer. On the one hand, the owner of a database wants to restrict the access of users to this data according to some policy, in such a way that a user can only obtain information satisfying the restrictions imposed by the owner. On the other hand, a legitimate user wants to privately retrieve allowed parts of the data, in a sequential and adaptive way, without letting the owner know which part of the data is being obtained.

After having formally described the components and required properties of a protocol for restricted adaptive oblivious transfer, we propose two generic ways to realize this primitive. The first one uses a cryptographic tool which has received a lot of attention from the literature in the last years: cryptosystems which are both multiplicatively and additively homomorphic. Our second generic construction is based on secret sharing schemes.

# Symmetric-key crypto-processor and crypto-coprocessor systems with secure key management

|Lubos Gaspar| Lubos Gaspar

Hardware cryptographic systems are optimized for cryptographic algorithms such as cipher modes, key management operations and cryptographic protocols. Such a system usually contains a general-purpose processor (GPP) with cryptographic co-processor. However, the GPP manipulates the secret keys as ordinary data and modification (intentional or unintentional) of the program memory contents can enable reading the keys in clear outside the system. Thus, GPP are not suitable for security applications. We present novel separation rules which suggest how crypto-processors and crypto-coprocessors have to be designed to provide secure key management. The use of the separation rules will be demonstrated on the novel HCrypt crypto-processor which is optimized for the block cipher modes, packet management and most importantly secure key management. HCrypt features 128 bits wide datapath, 128-bit arithmetic logic unit, secure key storage, two AES ciphers and a true random number generator. If an application requires both a secure key management ability and GPP flexibility, the GPP can be extended by a security module. The presented security module is a crypto-coprocessor which complies with all separation rules. The security perimeter is strictly located within the security module. The GPP in conjunction with this security module is not only capable of general-purpose tasks, but also supports secure key management providing a very high security of confidential keys. This novel approach is demonstrated on three different GPP processors: Altera NIOS II, Xilinx MicroBlaze, ARM Cortex M1. The last part of the presentation will be dedicated to security challenges when partial reconfiguration technology is used.

# CANCELED

Markus Dürmuth

# Analysis of Message Injection in Stream Cipher-Based Hash Functions

Yuto Nakano

A common approach for the construction of cryptographic hash functions is to design the algorithm based on an existing symmetric encryption primitive. While there has been extensive research on the design of block cipher-based hash functions, little has been done on the study of design and security of stream cipher-based hash functions(SCH). In this paper we discuss the general construction of stream cipher-based hash functions, devoting special attention to one of the function’s crucial components: the message injection function. We define two types of message injection functions, which may be appended to the keystream generator (e.g. a stream cipher) to build an SCH. Based on these constructions, we evaluate the security of simple SCHs whose stream cipher function consists of a LFSR-based filter generator. We see this as an initial step in the more formal study of the security of hash function constructions based on stream ciphers.

# "Million Message Attack" in 15 000 Messages, or Efficient Padding Oracle Attacks on Cryptographic Hardware

|Graham Steel| Graham Steel

We show how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key. The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as a side channel. In the asymmetric encryption case, we modify and improve Bleichenbacher's attack on RSA PKCS#1v1.5 padding, giving new cryptanalysis that allows us to carry out the 'million message attack' in a mean of 49 000 and median of 14 500 oracle calls in the case of cracking an unknown valid ciphertext under a 1024 bit key (the original algorithm takes a mean of 215 000 and a median of 163 000 in the same case). We show how implementation details of certain devices admit an attack that requires only 9 400 operations on average (3 800 median). For the symmetric case, we adapt Vaudenay's CBC attack, which is already highly efficient. We demonstrate the vulnerabilities on a number of commercially available cryptographic devices, including security tokens, smartcards and the Estonian electronic ID card. The attacks are efficient enough to be practical: we give timing details for all the devices found to be vulnerable, showing how our optimisations make a qualitative difference to the practicality of the attack. We give mathematical analysis of the effectiveness of the attacks, extensive empirical results, and a discussion of countermeasures and manufacturer reaction.

# Efficient Zero-Knowledge Argument for Correctness of a Shuffle

|Stephanie Bayer| Stephanie Bayer

Mix-nets are used in e-voting schemes and other applications that require anonymity. Shuffles of homomorphic encryptions are often used in the construction of mix-nets. A shuffle permutes and re-encrypts a set of ciphertexts, but as the plaintexts are encrypted it is not possible to verify directly whether the shuffle operation was done correctly or not. Therefore, to prove the correctness of a shuffle it is often necessary to use zero-knowledge arguments.

We propose an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions. The suggested argument has sublinear communication complexity that is much smaller than the size of the shuffle itself. In addition the suggested argument matches the lowest computation cost for the verifier compared to previous work and also has an efficient prover. As a result our scheme is significantly more efficient than previous zero-knowledge schemes in literature.

# On The Security of One-Witness Blind Signature Schemes

Foteini Baldimtsi

Blind signatures have proved an essential building block for applications that protect privacy while ensuring unforgeability, i.e., electronic cash and electronic voting. One of the oldest, and most ecient blind signature schemes is the one due to Schnorr that is based on his famous identication scheme. Although it was proposed over twenty years ago, its unforgeability remains an open problem, even in the random-oracle model. In this talk, we will show that current techniques for proving security in the random oracle model do not work for the Schnorr blind signature. Our results generalize to other important blind signatures, such as the one due to Brands. Brands' blind signature is at the heart of Microsoft's newly implemented UProve system, which makes this work relevant to cryptographic practice as well.

This is joint work with Anna Lysyanskaya

# Bridging the Semantic Gap for Virtual Machine Introspection

Christian Schneider |Christian Schneider|

All systems that utilize virtual machine introspection (VMI) need to overcome the disconnect between the low-level state that the hypervisor sees and its semantics within the guest. This problem has become well-known as the "semantic gap". Typical VMI approaches apply just enough semantic knowledge to the low-level state to be able to extract the relevant information for their application. In contrast, our work focuses on establishing a semantic connection between the guest and the hypervisor independent of the application at hand.

In this talk, I will given an overview of InSight, a kernel memory analyzer for Linux that addresses the semantic gap challenge in a universal way. Our tool goes above and beyond previous approaches in that it strives to expose all kernel objects to an application with as little human effort as possible. InSight takes advantage of two sources of semantic information: the debugging symbols of the kernel as well as the kernel's source code. By using a novel approach for C code analysis, InSight establishes used-as relations between pointer types and extracts the arithmetic that is performed to transform a source pointer to a target address.

# Formal Concept Analysis and its relation to structured systems of multivariate quadratic equations

|Enrico Thomae| Enrico Thomae

This talk explains the mathematical foundations of the theory of Formal Concept Analysis, which was introduced by R. Wille and B. Ganter. The theory itself is based on mathematical order theory, in particular on the theory of complete lattices. We give the basic notations such as formal context, formal concept, supremum- and infimum irreducible elements and repeat the basic theorem on concept lattices. Some small scale examples show applications to qualitative data analysis, such like conceptual unfolding of data contexts. We outline first attempts to use Formal Concept Analysis to speed up algorithms for solving heavily structured systems of multivariate quadratic equations. The questions arising in this context are also closely connected to the problem of determining optimal shift sets for Coppersmith's method of finding small roots of univariate modular polynomials.