OS Archive

OS Archive

Program: Florian Guski: Simulation of the Quantum Hybrid Attack in Q#
When: Do, 20.12.2018, 1:00 – 12:00
S202 / B002
Description: In this thesis, we will present the new programming language Q#, which was
introduced by Microsoft at the end of 2017 and use it for an implementation
of the Quantum Hybrid Attack as presented in the papers of Göpfert,
Vredendaal and Wunderer. In this thesis, we will first focus on Q#. This
part will include a presentation of Q#'s basic principles as well as a
description in which way Q# allows users to work with quantums and quantum
bits. Afterwards, we will deal with the Quantum Hybrid Attack itself. There,
we will present both the main algorithms used for the Quantum Hybrid Attack
and talk about the necessary steps to create the according quantum circuits
out of them and how to implement them afterwards with Q#.
Program: Patrick Longa (Microsoft):
Post-quantum key exchange from supersingular isogenies and its efficient
implementation
When: Thursday, July 26, 11:00 AM S202 / B002
Description: The supersingular isogeny Diffie-Hellman (SIDH) protocol has become one of the most popular key exchange mechanisms that is conjectured to be secure against large-scale quantum computer attacks. Equipped with the most compact keys among post-quantum candidates, SIDH inherits the rich arithmetic that made elliptic curve cryptography so popular in the last couple of decades. In this talk, we will discuss our efforts to advance the case of this isogeny-based cryptosystem for practical application. This includes the design of an IND-CCA key encapsulation scheme called SIKE, the selection of efficient parameters matching NIST-recommended security levels, and its efficient implementation on popular Intel and ARM platforms.
Program: Giulia Traverso: Coalition-Resistant Peer Rating for Long-Term Confidentiality
When: Thursday, July 26, 11:00 AM S202 / B002
Description: The outsourced storage of sensitive data requires long-term confidentiality guarantees. Proactive secret sharing in a distributed storage system provides such guarantees. However, some storage service providers lack in reliability or performance for proactive secret sharing to be viable, which can threaten data confidentiality. Data owners need guidance to select the best-performing storage service providers. Aggregated peer ratings with a mediator can provide such guidance. Nevertheless, providers may rate each other inaccurately to undermine competitors. This rational behaviour must be taken into account to devise performance scoring mechanisms generating accurate aggregate scores. The natural formalism to analyse the strategies of rational agents is game theory. In this paper, we introduce a game-theoretic model of the peer rating strategies of providers. Within this model, we first show that an unincentivised performance scoring mechanism results in providers reporting inaccurate ratings. We then introduce an incentivised performance scoring mechanism, modelled as an infinitely repeated game, that discourages inaccurate ratings. We prove that this mechanism leads to accurate ratings and thus to accurate performance scores for each provider, within a margin depending on coalition sizes.
Program: Thomas Wunderer: Estimating the Security of Lattice-Based Candidates for NIST's Post-Quantum Cryptography Standardization
When: Thursday, July 19, 11:00 AM S202 / B002
Description: We consider all LWE- and NTRU-based encryption, key encapsulation,
and digital signature schemes proposed for standardization as part of the
Post-Quantum Cryptography process run by the US National Institute of
Standards and Technology (NIST). In particular, we investigate the impact
that different estimates for the asymptotic runtime of (block-wise) lattice
reduction have on the predicted security of these schemes. Relying on the
„LWE estimator“ of Albrecht et al., we estimate the cost of running primal
and dual lattice attacks against every LWE-based scheme, using every cost
model proposed as part of a submission. Furthermore, we estimate the
security of the proposed NTRU-based schemes against the primal attack under
all cost models for lattice reduction.
Program: Wen Wang (Yale University, USA):
Hardware Architectures for Post-Quantum Cryptography – the Niederreiter Cryptosystem
When: Do, 5.7.2018, 11:00 – 12:00
S202 / B002
Description: Post-quantum cryptography has received increased attention recently most noticeably due to a standardization process for PQC schemes started by NIST in 2017. “Classical McEliece” is one of the code-based PKE/KEM submissions to the NIST PQC “competition”. This presentation will focus on presenting the FPGA-based design of this scheme, namely a Goppa code-based Niederreiter cryptosystem, including modules for encryption, decryption, and key generation. We will show how to make the design constant-time in order to protect against timing side-channel analysis and how to make the design fully parameterized in order to support a wide range of parameter choices for security, including binary field size, the degree of the Goppa polynomial, and the code length. The parameterized design also allows users to choose design parameters for time-area trade-offs in order to support a large variety of applications ranging from smart cards to server accelerators. By comparing the performance with related work, we will show that our current work is the fastest design to date, beating prior FPGA work and optimized CPU-based implementations on recent processors.
Program: Christian Janson (TU Darmstadt, Cryptography and Complexity Theory):
Backdoored Hash Functions: Immunizing HMAC and HKDF
When: Thursday, June 21, 11:00 AM
S202 / B002
Description: Security of cryptographic schemes is traditionally measured as the inability of resource-constrained adversaries to violate a desired security goal. The security argument usually relies on a sound design of the underlying components. Arguably, one of the most devastating failures of this approach can be observed when considering adversaries such as intelligence agencies that can influence the design, implementation, and standardization of cryptographic primitives. While the most prominent example of cryptographic backdoors is NIST’s Dual_EC_DRBG, believing that such attempts have ended there is naive.
Security of many cryptographic tasks, such as digital signatures, pseudorandom generation, and password protection, crucially relies on the security of hash functions. In this work, we consider the question of how backdoors can endanger security of hash functions and, especially, if and how we can thwart such backdoors. We particularly focus on immunizing arbitrarily backdoored versions of HMAC (RFC 2104) and the hash-based key derivation function HKDF (RFC 5869), which are widely deployed in critical protocols such as TLS. We give evidence that the weak pseudorandomness property of the compression function in the hash function is in fact robust against backdooring. This positive result allows us to build a backdoor-resistant pseudorandom function, i.e., a variant of HMAC, and we show that HKDF can be immunized against backdoors at little cost. Unfortunately, we also argue that safe-guarding unkeyed hash functions against backdoors is presumably hard.
Joint Work with Marc Fischlin and Sogol Mazaheri.
Program: David Artmann:
Server-side signatures using the new German Identity Card
When: Thursday, May 24, 11:00 AM
S202 / B002
Description: Due to the increasing digitization, electronic documents have become
indispensable in our society and their use has become ubiquitous. Electronic
signatures are used to enable signatures of electronic documents in the same
way as paper-based documents and to make them legally binding. The use of
electronic signatures requires a secure handling of the used key to protect
it against unauthorized signature creation and to prevent signature forgery.
The usage of server-side signatures makes it easier for users to use
electronic signatures because their creation can be ordered by any
browser-enabled device. The usage is also made easier by centralizing
complex security measures that provide a high level of protection for used
keys, signed documents, and created signatures.
This thesis contributes SHAMIRA, a concept of a secure and usable
server-side signature solution. Currently, SHAMIRA is the only server-side
signature solution that fulfills the requirements of the eIDAS regulation
with regard to electronic signatures, offers a strong authentication based
on the German ID card, and operates with an eID server without requiring
modifications to it.
A system and attacker model, as well as requirements for secure and usable
server-side signature solutions are defined. Security requirements specify
measures to protect used keys and prevent signature forgery. Legal
requirements ensure compliance with the eIDAS regulation. Non-functional
requirements determine quality criteria for the application and usability of
server-side signature solutions. The results of the evaluation of existing
server-side signature solutions, namely the Austrian Handy-Signatur and the
SAP/SAD protocol of the BSI, against the defined requirements show that none
of these solutions fully meets the requirements. A prototypical
implementation of SHAMIRA was successfully created, which proves the
feasibility of the concept against the requirements. The secure storage of
keys in an HSM and the communication with a CA were simulated here. The
implementation of these functions is the last hurdle to the productive use
of SHAMIRA.
Program: Efstathios Deligeorgopoulos:
Evaluation of Proactive Secret Sharing for Long-Term Secure Storage
When: Thursday, April 26, 11:00 AM
S202 / B002
Description: Long-Term Secure Storage is a challenging area with a lot of real
world applications. This thesis looks into the subject of long-term secure
storage in the form of information theoretically secure secret sharing. A
variety of secret sharing schemes is described and then implemented. These
implementations are combined into a secret sharing testing platform. This
platform is then used as the basis of extensive testing in order to specify
the value and suitability of each scheme for long term storage purposes. The
conclusions of the thesis show that secret sharing can be used as a viable
solution to long-term secure storage. There are however special limitations
and considerations that must be taken into account in order for an efficient
solution to be realized.
Program: Matthias Geihs:
On the Existence of Extractable-Binding Commitments
When: Thursday, February 22, 11:00 AM
Description: An extractable-binding commitment scheme guarantees that the
decommitted message has already been known when the commitment was given.
Such commitments have powerful applications. For example, they are necessary
and sufficient for succinct non-interactive arguments of knowledge (SNARK)
and they allow for constructing renewable cryptography (e.g., renewable
commitments, signatures, and timestamps). In this talk, we explore how to
construct extractable-binding commitments. First, we investigate the
relation between extractable-binding and collision-binding. Then, we show
how to construct an extractable binding commitment scheme in the random
oracle model. Next, we observe that extractable-binding commitments are
implied by extractable-collision resistant hash functions (ECRH), which are
known to exist under the knowledge of exponent or the knowledge of knapsack
assumption. Finally, we investigate how to construct an ECRH from standard
assumptions.