# Radboud Digital Security group Lunch Talk homepage

Welcome to the site of the talks organised by Radboud Digital Security group. We organize a talk every Friday at 12:30.

## Objectives:

• Provide a forum for sharing research results.
• Stimulating discussion in the Digital Security group but also with interested researchers outside the group.
• Serve as a try-out for conference talks.

## Policy:

• We encourage the talks to be interactive and informal, with slides being optional.
• Presentation of ongoing work or research questions is most welcome.
• The recommended time for a talk is 20-30 minutes.

## Resources:

• You can keep up to date by copying the link to our automatic calendar feed and adding it in your calendar app.
• You can subscribe to our mailing list if you wish to receive announcements regarding the DiS lunch talk.
• The rotating queue of internal speakers can be found here (Internal Radboud only).

## Upcoming talks

• Friday, 16th of July 2021 at 12:30 in https://radbouduniversity.zoom.us/j/91472520403?pwd=V29RSkZkeWp5MDNqbmZteVlBWkNvZz09
DiS Lunch by Bart Mennink

#### Leakage Resilient Value Comparison With Application to Message Authentication

Side-channel attacks are a threat to secrets stored on a device, especially if an adversary has physical access to the device. As an effect of this, countermeasures against such attacks for cryptographic algorithms are a well-researched topic. In this work, we deviate from the study of cryptographic algorithms and instead focus on the side-channel protection of a much more basic operation, the comparison of a known attacker-controlled value with a secret one. Comparisons sensitive to side-channel leakage occur in tag comparisons during the verification of message authentication codes (MACs) or authenticated encryption, but are typically omitted in security analyses. Besides, also comparisons performed as part of fault countermeasures might be sensitive to side-channel attacks. In this work, we present a formal analysis on comparing values in a leakage resilient manner by utilizing cryptographic building blocks that are typically part of an implementation anyway. Our results indicate that there is no need to invest additional resources into implementing a protected comparison operation itself if a sufficiently protected implementation of a public cryptographic permutation, or a (tweakable) block cipher, is already available. We complement our contribution by applying our findings to the SuKS message authentication code used by lightweight authenticated encryption scheme ISAP, and to the classical Hash-then-PRF construction.

• Friday, 27th of August 2021 at 12:30 in https://radbouduniversity.zoom.us/j/91472520403?pwd=V29RSkZkeWp5MDNqbmZteVlBWkNvZz09
DiS Lunch by Ronny Wichers Schreur

• Friday, 3rd of September 2021 at 12:30 in https://radbouduniversity.zoom.us/j/91472520403?pwd=V29RSkZkeWp5MDNqbmZteVlBWkNvZz09
DiS Lunch by Hanna Schraffenberger

• Friday, 10th of September 2021 at 12:30 in https://radbouduniversity.zoom.us/j/91472520403?pwd=V29RSkZkeWp5MDNqbmZteVlBWkNvZz09
DiS Lunch by Santos Merino del Pozo

• Friday, 17th of September 2021 at 12:30 in https://radbouduniversity.zoom.us/j/91472520403?pwd=V29RSkZkeWp5MDNqbmZteVlBWkNvZz09
DiS Lunch by X Y

• Friday, 24th of September 2021 at 12:30 in https://radbouduniversity.zoom.us/j/91472520403?pwd=V29RSkZkeWp5MDNqbmZteVlBWkNvZz09

• Friday, 8th of October 2021 at 12:30 in https://radbouduniversity.zoom.us/j/91472520403?pwd=V29RSkZkeWp5MDNqbmZteVlBWkNvZz09
DiS Lunch by Kevin Valk

## Past talks

• Friday, 9th of July 2021 at 12:30
Screen Gleaning: Exploration of the Display Cable Side-Channel by Dirk Lauret

This presentation presents the shortcomings of the original screen gleaning paper. In order to cope with these shortcomings, a new detection method had to be developed: edge-detection. The edge-detection method is designed for side-channel analysis on channels that transmit bitstreams. The edge-detection method makes use of the bandwidth between multiple higher-order harmonics of the original frequency at which the bitstream is being transmitted. With this method, peaks will occur at the transitions of the signal, allowing the user to detect the edges of the bitstream. This presentation will show that the location of these transitions is enough to confidently interpret the information in the bitstream. The advantage of only using higher- order harmonics is that high-frequency antenna designs can be used, which are in general more scalable. Edge-detection can be applied on different use cases related to side-channel analysis attacks. This presentation gives a simplified example of such a use case by using HDMI cables with differential signaling.

• Friday, 2nd of July 2021 at 12:30
Understanding quantum computing using pictures by John van de Wetering

As my research is a bit orthogonal to the interests of the group, in this talk I will give a more general overview of some of the stuff I've worked on. I'll start by giving an introduction to quantum computing, focussing on the use of quantum circuits. Then I'll show how we can view quantum computations as ZX-diagrams, a pictographic representation of computations. Using the ZX-calculus we can then reason entirely graphically about quantum computations. Given there's enough time, I will demonstrate the power of this method by giving a diagrammatic proof of the Gottesman-Knill theorem, a famous result in quantum computing that says a certain useful class of quantum circuits can be efficiently classically simulated.

• Friday, 25th of June 2021 at 12:30
LPO Proofs in Two Educational Contexts by Engelbert Hubbers

In this talk I present the results of a paper that is based on my teaching experience with the course Semantics and Rewriting. One of the things that students need to learn in that course is proving termination of a term rewrite system using the lexicographical path order method (LPO). I noticed in the past that students consider this a difficult proof method, due to the recursive definition and the nested structure in natural language. Therefore, I introduced some new, more formal methods, in tree-style and in Fitch-style, hoping that this would make it easier for students to actually formulate these proofs.
However, besides being able to formulate this kind of proofs on paper, it is also important that students can formulate the same kind of proofs in the Cirrus exam environment, so that is also addressed.
The exam of this course is on June 22, so hopefully I will be able to tell you on June 25 how the students performed at this particular exercise.

• Friday, 18th of June 2021 at 12:30
The End of Smartcards by Erik Poll

For the past quarter of a century, we've been using contact and contactless smartcards for just about anything. But the days of the smartcard are numbered: soon we will only use our mobile phones for everything instead.
This does raise questions on how to design and evaluate smartphone-based authentication solutions. There is a larger design space of solutions (which includes the choices between centralising vs decentralising that Eric Verheul discussed last week), with more and more complex components, for use in online and/or offline settings. How do we judge or compare the security of solutions, let alone
certify them in some rigorous way?
It is not clear what the right answers or even the right questions here are. Goal of this talk is to stir up some discussion about all this.

• Friday, 11th of June 2021 at 12:30
Application of k-anonymity in the new Dutch eID-card by Eric Verheul

Since the start of 2021, Dutch citizens can log in to public service providers using their contactless Dutch identity card by presenting it to DigiD, the centralized authentication provider of Dutch government. In this talk I will explain the cryptographic setup of this setup which I designed around 2014. One of the key properties of this setup is its implementation of k-anonymity. While DigiD knows which service provider a card user wants to authenticate to and delivers its social security number (BSN) to it, DigiD is not able to recognize the user. I will indicate this provides a good trade-off between the here conflicting properties of security and privacy. The new Dutch eID-card shows that the use of centralized authentication is not necessarily privacy-unfriendly which is a common misconception in (academic) literature.

• Friday, 4th of June 2021 at 12:30
Robustness of Machine Learning (and its implications to security) by Alexandru Serban

In this talk I will present an update of our work on training robust machine learning (ML) models and discuss the implications of robustness to security of ML. The focus will be on training robust ML models with small data sets, although a larger discussion about ML robustness in the context of ML engineering and ML policy will be provided (i.e., within the EU guidelines for trustworthy AI).

• Friday, 28th of May 2021 at 12:30
Remote voting with random-blind attributes (and IRMA) by Bernard van Gastel

Small scale elections, about your street or a nearby park as organized by municipalities, are now often organized ad hoc: without proper access control, or using expensive snail mail. We set out to improve on this situation, i.e. bringing those kind of elections in the modern era. In our approach, a voter registers at our first server. If the voter is eligible (lives in a certain street), the voter gets an anonymous voting number from this server by using random-blind attributes (as just implemented by IRMA). On the next server, that anonymous voting number can be used to actually cast a vote. After the election a public record with votes signed with the anonymous voting number is published, so that voters can verified the results. Voters are anonymous as long as the two servers are properly separated and secured. Currently user testing is underway in Groningen and Amsterdam. In the talk, the trade-offs are discussed, an overview of the security design is given, and the first interesting insights of the user tests are shared.

• Friday, 21st of May 2021 at 12:30
Introduction to WebRTC by Alexandre Iooss

WebRTC revolutionised videoconferencing on the Web. During this short introduction on WebRTC, you will discover the different technologies that enable modern applications such as Zoom, Jitsi, BigBlueButton and Skype to manage real-time audio and video communications over an unstable and chaotic Internet.
Are you no longer hearing your supervisor on Skype? Are you sounding like in a submarine on Discord? The goal of this presentation is to explain what is happening behind the scene and to give advice and tools to understand these issues.

• Friday, 7th of May 2021 at 12:30
Post-quantum WireGuard by Peter Schwabe

WireGuard is a modern VPN protocol invented by Donenfeld. It was presented at NDSS 2017 and is now part of the mainline Linux kernel. WireGuard improves on solutions like OpenVPN or IPsec in terms of performance, code complexity, and security. However, protection against quantum attackers was considered out of scope in the design.
In this talk I will present our proposal for a post-quantum variant of the WireGuard handshake, which will also be presented at Oakland 2021. This proposal is obtained by first moving the Diffie-Hellman-based WireGuard handshake to a generic KEM-based construction and then carefully instantiating the KEMs to retain WireGuard's performance and security advantages to the maximum extent.

• Friday, 30th of April 2021 at 12:30
On the security of the Multi-mixer: A multiplication based keyed compression function by Koustabh Ghosh

In cryptography, authenticity of a message is as important as its confidentiality.
Message Authentication Code (MAC) compresses a variable length message to a fixed length value and outputs a tag, which is then verified to check the message's authenticity.
MAC functions, while sometimes used standalone, are also used in conjunction with an encryption algorithm, i.e., in authenticated encryption.
We wish to design a keyed compression function for use in a MAC function that is at the same time efficient and offers a high level of collision resistance.
There are several ways to build a MAC function. Block cipher based: CMAC, PMAC, hash function based: HMAC, KMAC.
Such construction are computationally heavy. But, we have lighter alternative based on multiplication in some large finite field: GMAC over a field of characteristic 2 and POLY-1305 over a prime field. And then there is NH-hash, which uses multiplication without any modular reduction.
NH-hash uses integer multiplication over 32-bits and is super fast on many CPUs thanks to the presence of fast instructions for large integer Multiplication (16-bit or 32-bit).
NH-Hash achieves 64 bits of collision-resistance security by combining 4 instances of a basic function called NH, and costs 4 multiplications and 16 additions per 64-bit input block.
Taking NH-Hash as a starting point we have designed a new function called the Multi-mixer.
Its ambition is to have 128 bits of collision resistance security and it has a workload of 2 multiplications and 10 additions per 64-bit input block: so twice the security for about half the workload pf that of NH.

• Friday, 23rd of April 2021 at 12:30
Controlling the Deep Learning Based Side-Channel Analysis: A Way to Leverage from Heuristics by Servio Paguada Isaula and Unai Rioja

Deep neural networks have become the state-of-the-art method when a profiled side-channel analysis is performed. Their popularity is mostly due to neural nets overcoming some of the drawbacks of classical'' side-channel attacks, such as the need for feature selection or waveform synchronization, in addition to their capability to bypass certain countermeasures like random delays. To design and tune a neural network for side-channel analysis systematically is a complicated task. There exist hyperparameter tuning techniques which can be used in the side-channel analysis context, like Grid Search, but they are not optimal since they usually rely on specific machine learning metrics that cannot be directly linked to e.g. the success of the attack.
We propose a customized version of an existing statistical methodology called Six Sigma for optimizing the deep learning-based side-channel analysis process. We demonstrate the proposed methodology by successfully attacking a masked software implementation of AES.

• Friday, 16th of April 2021 at 12:30
Exploit Logic by Nico Naus

Automatic exploit generation is a relatively new area of research. Work in this area aims to automate the manual and labour intensive task of finding exploits in software. With Exploit Logic, we are aiming to lay the foundation for a new automatic exploit generation system. Exploit Logic, which formally defines the relation between exploits and the preconditions which allow them to occur. This relation is used to calculate the search space of preconditions for a specific program and exploit. This presentation is an introduction into Exploit Logic, and the current state of my research.

• Friday, 9th of April 2021 at 12:30
Hierarchical Approach in RNS Base Extension for Asymmetric Cryptography by Libey Djath

Base extensions are a substantial part of modular reduction using residue number system in the context of asymmetric cryptography. In this presentation, we discuss the base extension proposed by Djath, Bigou and Tisserand [Hierarchical approach in RNS base extension for asymmetric cryptography. In 26th IEEE Symposium on Computer Arithmetic (ARITH), pp. 46–53. IEEE, 2019]. Our proposed algorithm is based on a hierarchical approach in the Chinese-remainder-theorem computation. We demonstrate that the theoretical computation cost of the base-extension operation is reduced and the inherent parallelism of residue number system internally preserved. For typical field sizes employed in elliptic curve cryptography, FPGA implementations using high-level synthesis tools show that the reduction of the theoretical computation cost translates into area and time gains.

• Friday, 26th of March 2021 at 12:30
CLKSCREW: Exposing the Perils of Security- Oblivious Energy Management by Dirk Lauret

The need for power- and energy-efficient computing has resulted in aggressive cooperative hardware-software energy management mechanisms on modern commodity devices. Most systems today, for example, allow software to control the frequency and voltage of the underlying hardware at a very fine granularity to extend battery life. Despite their benefits, these software-exposed energy management mechanisms pose grave security implications that have not been studied before.
Here I will present the CLKSCREW attack, a new class of fault attacks that exploit the security- obliviousness of energy management mechanisms to break security. A novel benefit for the attackers is that these fault attacks become more accessible since they can now be conducted without the need for physical access to the devices or fault injection equipment. We demonstrate CLKSCREW on commodity ARM/Android devices. We show that a malicious kernel driver (1) can extract secret cryptographic keys from Trustzone, and (2) can escalate its privileges by loading self-signed code into Trustzone. As the first work to show the security ramifications of en- ergy management mechanisms, we urge the community to re-examine these security-oblivious designs.

• Friday, 19th of March 2021 at 12:30
Breaking energy privacy through traffic analysis by Pol Van Aubel

In the world of smart metering, every byte transmitted costs money, so there is a desire to minimize the amount of data sent by smart meters. Compression may seem like a good option for this, but it may have privacy implications. In this talk I will show that applying straightforward compression to encrypted energy use data from smart meters in the Netherlands would allow an attacker performing traffic analysis to reveal private information.
The first part of the talk briefly introduces the smart metering landscape in the Netherlands, explaining the influence of privacy and security on certain design choices. Armed with this background knowledge we then take a real-world dataset, encode it using the industry-standard DLMS/COSEM protocol, and analyze the effects that the compression used in DLMS/COSEM has on the size of messages transmitting this dataset. We find that using this compression mechanism would allow an attacker to infer e.g. when a household is on vacation. To solve this problem, we propose a smarter encoding of the data that still achieves very good data savings, without leaking the energy use pattern of households.

• Friday, 12th of March 2021 at 12:30
Differential trail bound in Subterranean 2.0 by Alireza Mehrdad

Subterranean 2.0 has been selected as a candidate in the second round of NIST’s lightweight cryptography standardization process. Recent studies have shown that Subterranean is performing well in terms of hardware compared to other candidates. It is clear that a cryptographic algorithm requires high security in addition to performance. As a result, we need to check whether an algorithm is secure enough. For this purpose, we can use the present cryptanalysis; and differential cryptanalysis is one of the strongest. In the case of cryptographic primitives with weak alignment (as Keccak and Subterranean), the estimation of the probability of the differential trails is obtained via computer-assisted proofs and dedicated tools. In this presentation, I will present a detailed analysis of the differential trail search in Subterranean.

• Friday, 26th of February 2021 at 12:30
Microtargeted propaganda by foreign actors: An interdisciplinary exploration by Ronan Ó Fathaigh, Tom Dobber, James Shires, and Frederik Zuiderveen Borgesius

Ronan Ó Fathaigh, Tom Dobber, James Shires, and Frederik Zuiderveen Borgesius will present a draft article, called 'Microtargeted propaganda by foreign actors: An interdisciplinary exploration’.

• Friday, 12th of February 2021 at 12:30
Veni, Vidi, Vici(?) by Zekeriya Erkin

It has been more than two years since I started at Radboud University. In this talk, I will introduce myself and explain a little bit about the EU project I have been involved. I will also present the work on Threshold Multi-party Private Set Intersection, based on a use case addressed in the project. The cryptographic protocol was designed using Bloom filters. Our approach has linear complexity and improves state of the art significantly for large numbers of (corruptible) parties, for instance, when there are 10 or more parties who have 64 elements in their sets.

• Friday, 29th of January 2021 at 12:30
Real World Crypto in the actual real world by Ruben Gonzalez

This informal lunch talk will give some insight into how cryptography is currently used in the real world and why that is problematic.
I'll briefly present "cryptographic incidents" that happened to me in my work life. I'll also show how they are exploitable and how this impacts the overall security of a product.

• Friday, 15th of January 2021 at 12:30
Detecting software vulnerabilities with AI by Harald Vranken

The first part of this talk is a gentle introduction on how AI techniques can be applied in static source code analysis to detect vulnerabilities. We will briefly look at different methods that have been tried by various researchers and give an overview of our research. In the second part of the talk we will focus on one of our research projects: detecting cross-site scripting and SQL injection vulnerabilities in PHP web applications using machine learning. In this project, we assemble a dataset of vulnerable PHP code samples and their patched versions. We extract features from these code samples by applying data-flow analysis techniques, and use these features in machine learning to train various probabilistic classifiers. Our experiments show that we outperform other approaches for vulnerability detection in PHP code, and we were able to detect a previously unknown vulnerability in an open-source web application for photo sharing.

• Friday, 18th of December 2020 at 12:30
OpenSky Network - Open Air Traffic Data for Research by Kai Jansen

The OpenSky Network is a non-profit association based in Switzerland. It aims at improving the security, reliability and efficiency of the air space usage by providing open access of real-world air traffic control data to the public. The OpenSky Network consists of a multitude of sensors connected to the Internet by volunteers, industrial supporters, and academic/governmental organizations. All collected raw data is archived in a large historical database. The database is primarily used by researchers from different areas to analyze and improve air traffic control technologies and processes.

• Friday, 11th of December 2020 at 12:30
Without consent by Mireille Hildebrandt, Paulus Meessen & Laurence Diver

Inspired by Paul Graßl's: Dark and Bright Patterns in Cookie Consent Requests this lunchtalk will demonstrate how the new Journal of Cross-disciplinary Research in Computational Law (CRCL) [0] 'did' its data protection statement. Mireille will discuss the relevant legal framework (GDPR and ePrivacy) to explain the crucial differences and overlaps between (1) personal data (2) technical, functional and other cookies, and (3) other tracking mechanisms, mapping them to the relevant legal constraints, followed by a brief overview of the data protection statement (which is mistakenly qualified as a privacy statement due to the affordances of the OJS platform). Paulus Meessen and Laurence Diver (COHUBICOL researchers in Nijmegen and Brussels) will explain what this means on the backend system. [0] : https://journalcrcl.org/

• Friday, 27th of November 2020 at 12:30
An Algorithmic Reduction Theory for Binary Codes: LLL and more by Leo Ducas

Lattice reduction is the task of finding a basis of short and somewhat orthogonal vectors of a given lattice. In 1985 Lenstra, Lenstra and Lovasz proposed a polynomial time algorithm for this task, with an application to factoring rational polynomials. Since then, the LLL algorithm has found countless application in algorithmic number theory and in cryptanalysis. There are many analogies to be drawn between Euclidean lattices and linear codes over finite fields. In this work, we propose to extend the range of these analogies by considering the task of reducing the basis of a binary code. In fact, all it takes is to choose the adequate notion mimicking Euclidean orthogonality (namely orthopodality), after which, all the required notions, arguments, and algorithms unfold before us, in quasi-perfect analogy with lattices.

• Friday, 20th of November 2020 at 12:30
by Paul Graßl

Title: Dark and Bright Patterns in Cookie Consent Requests
Description: Dark patterns are (evil) design nudges that steer people's behaviour through persuasive interface design. Increasingly found in cookie consent requests, they possibly undermine principles of EU privacy law. In two preregistered online experiments we investigated the effects of three common design nudges (default, aesthetic manipulation, obstruction) on users' consent decisions and their perception of control over their personal data in these situations. In the first experiment (*N* = 228) we explored the effects of design nudges towards the privacy-unfriendly option (dark patterns). The experiment revealed that most participants agreed to all consent requests regardless of dark design nudges. Unexpectedly, despite generally low levels of perceived control, obstructing the privacy-friendly option led to more rather than less perceived control. In the second experiment (*N* = 255) we reversed the direction of the design nudges towards the privacy-friendly option, which we title "bright patterns". This time the obstruction and default nudges swayed people effectively towards the privacy-friendly option, while the result regarding perceived control stayed the same compared to Experiment 1. Overall, our findings suggest that many current implementations of cookie consent requests do not enable meaningful choices by internet users, and are thus not in line with the intention of the EU policymakers. We also explore how policymakers could address the problem.

• Friday, 13th of November 2020 at 12:30
by TBD

• Friday, 6th of November 2020 at 12:30
Open Maths at the University: mathematics as part of a computer science study by Greg Alpar

Mathematics plays an important role in cryptography and in computer science, in general. It is a crucial vehicle for logical reasoning, for insight and for problem solving. Our university programs aim to use and further develop students' mathematical skills in this direction. However, students often arrive to the university with a simplistic image about mathematics that is completely misaligned with actual mathematics: "memorise and apply quickly". Not only their view but also their skills inhibit them in pursuing a truly successful computer science study. How can we bridge the gap between actual mathematics and this narrow, computation-centred idea about mathematics? Open Maths is just about that. In this talk, I will give an overview about the Open Maths courses, about my experiences of the Comenius Teaching Fellowship and about further possibilities.

• Friday, 30th of October 2020 at 12:30
Compact Dilithium on Cortex M3 and Cortex M4 by Denisa Greconici & Daan Sprenkels

In the last half year, we have implemented the Dilithium (round 2) scheme for the ARM Cortex M4 and ARM Cortex M3. Particularly for Cortex M3 this is exciting, because the M3 32-bit multiply operations are not constant time. We have looked at different techniques for optimizing both performance and stack space. The result was an implementation for M4 that was around 20% faster than previous works; and for both platforms a memory usage of less than {40,54,71} kB for Dilithium{2,3,4} for sigining, and less than 11 kB for verification.

• Friday, 23rd of October 2020 at 12:30
AI for Intrusion Detection by Hamid Bostani

Along with the rapid development of technologies in information and communications, cyber threats not only have grown significantly in numbers but have also become considerably sophisticated. One of the efficient mechanisms that can bring a high level of security and mitigate the vulnerabilities present in computer networks is Intrusion Detection Systems (IDSs). In order to achieve optimal results, the decision-making processes which are used in IDSs to identify threats need to be smarter as malicious actors are constantly trying to evolve their attacks using sophisticated techniques. In this talk, I will present my recent research on the intersection of AI and IDSs, and in particular, how AI can help thwart/mitigate network-based attacks.

• Friday, 9th of October 2020 at 12:30
Campana Curves and semi-integral Points by Krijn Reijnders

In my thesis, I looked at why certain algebraic structures (Campana curves and semi-integral points) are a useful tool for open problems in arithmetic geometry. I translated a hypothesis over number fields to a hypothesis over function fields. In this talk, I'll explain the basics of arithmetic geometry, how it gives us insight into number theory and algebraic geometry, and where such insight is relevant for cryptography.

• Friday, 2nd of October 2020 at 12:30
Post-quantum TLS without handshake signatures by Thom Wiggers

It's possible to make TLS 1.3 post-quantum secure by just plugging in post-quantum key exchange and a post-quantum signature scheme. But PQ signatures tend to be quite big and slow. KEMTLS is our proposal for a post-quantum secure variant of TLS that authenticates by using KEMs instead of the handshake signature. With a trick to preserve the ability to allow the client to send the request after the server sends its certificate: using KEMs instead of signatures doesn't take more round trips for this first message.
We compare a few instantiations of KEMTLS. Optimised for communication size, KEMTLS, with SIKE for KEX and handshake authentication, GeMSS for the CA certificate and a custom XMSS for optional intermediate certificates, requires less than half the bandwidth of a post-quantum TLS 1.3 using Falcon for the handshake signature. When picking primitives for speed, KEMTLS reduces the amount of server CPU cycles by up to 90% compared to an equivalent post-quantum instantiation of TLS 1.3, as well as reducing the time before the client can send its first application data.

• Friday, 25th of September 2020 at 12:30
Call Me Maybe: Ea­ves­drop­ping En­cryp­ted LTE Calls With Re­VoL­TE by Katharina Kohls

Voice over LTE (VoLTE) is a packet-based telephony service seamlessly integrated into the Long Term Evolution (LTE) standard and deployed by most telecommunication providers in practice. Due to this widespread use, successful attacks against VoLTE can affect a large number of users worldwide. In this work, we introduce ReVoLTE, an attack that exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call, hence enabling an adversary to eavesdrop on phone calls. ReVoLTE makes use of a predictable keystream reuse on the radio layer that allows an adversary to decrypt a recorded call with minimal resources. Through a series of preliminary as well as real-world experiments, we successfully demonstrate the feasibility of ReVoLTE and analyze various factors that critically influence our attack in commercial networks. For mitigating the ReVoLTE attack, we propose and discuss short- and long-term countermeasures deployable by providers and equipment vendors.

• Friday, 26th of June 2020 at 12:30
Biases that arise in Search by Arjen De Vries

An Information Retrieval model estimates the relevance of information objects to an information need. Originally, this was achieved primarily by comparing the information representations of documents (usually text) with those of the requests (as typed by the end user), and, usually, a straightforward way to measure similarity between these representations determined the degree of relevance between them. In recent years however, with the opportunities that data processing at large have to offer, this relevance estimation takes into account additional factors. First, "learning to rank" approaches adapt the matching process to include (assumingly related) previous actions of this end user on the same system, as well as information seeking behaviors of all the users of the system. Second, information representations are not based on a single information object any more, but on the corpus as a whole. Together, these trends make the retrieval process much more vulnerable for implicit biases that sneak into the retrieval process. I will discuss some of these biases, what we try to achieve when considering these in our group, and why a further understanding of biases in search is only getting more important with the current rise of interested in conversational search.

• Friday, 19th of June 2020 at 12:30
by TBD

• Friday, 12th of June 2020 at 12:30
When similarities among devices are taken for granted: Another look at portability by Unai Rioja Sabando

The original idea of profiling implies attacking one device with a leakage model generated from an "identical copy", but this concept cannot be always enforced. The leakage model is commonly generated with traces from an "open device", assuming that a model which works for one device should work for another copy as well. In practice, applying a leakage model to a different copy of the same device (commonly called portability) is a hard problem to deal with, as intrinsic differences in the devices or the experimental setups used to obtain the traces cause behavioral variations which lead to an unsuccessful attack. Thus, we propose a novel similarity assessment technique that allows evaluators to quantify the differences among various copies of the same device. Additionally, we support this technique with actual experiments to show that this metric is directly related to the portability issue. Finally, we derive a method that improves the performance of template attacks.

• Friday, 5th of June 2020 at 12:30
Single-Trace Attacks on Keccak by Robert Primas

Since its selection as the winner of the SHA-3 competition, Keccak, with all its variants, has found a large number of applications. It is, for instance, a common building block in schemes submitted to NIST's post-quantum cryptography project. In many of these applications, Keccak processes ephemeral secrets. In such a setting, side-channel adversaries are limited to a single observation, meaning that differential attacks are inherently prevented. If, however, such a single trace of Keccak can already be sufficient for key recovery has so far been unknown.
In this paper, we change the above by presenting the first single-trace attack targeting Keccak. Our method is based on soft-analytical side-channel attacks and, thus, combines template matching with message passing in a graphical model of the attacked algorithm. As a straight-forward model of Keccak does not yield satisfactory results, we describe several optimizations for the modeling and the message-passing algorithm. Their combination allows attaining high attack performance in terms of both success rate as well as computational runtime.
We evaluate our attack assuming generic software (microcontroller) targets and thus use simulations in the generic noisy Hamming-weight leakage model. Hence, we assume relatively modest profiling capabilities of the adversary. Nonetheless, the attack can reliably recover secrets in a large number of evaluated scenarios at realistic noise levels. Consequently, we demonstrate the need for countermeasures even in settings where DPA is not a threat.

• Friday, 29th of May 2020 at 12:30
No DiS Lunch
• Friday, 22nd of May 2020 at 12:30
No DiS Lunch
• Friday, 15th of May 2020 at 12:30
Lecturing using OBS & Youtube by Pol Van Aubel

We've been forced to switch all education to an online model. For lectures, many people have taken to using videoconferencing software, others have tried their hand at Brightspace Virtual Classroom. However, because Object Oriented Programming has over 400 enrolled students, with lecture participation well over 150, none of these options were available to us. So I decided to use a piece of software and a website purposely designed for 1-to-many broadcasting: Open Broadcaster Software & Youtube.
Unfortunately, this would not work for the computer practical sessions, where usually, students work in pairs and student assistants are readily available to answer questions on-the-fly. Brightspace discussion boards weren't going to cut it. But, thanks to the help of my student assistants, when everybody else was cancelling lectures and practicals on the 13th of March, we gave our first in a series of successful online practical sessions on Discord.
This talk, set up as how one of my currently "normal" lectures looks now, will dive into the details of how I use these tools, hopefully to help you see whether they or not they are suited for your courses. My ulterior motive is that I have very strong opinions on tooling we really need for effective online education, and currently I only find those needs fulfilled by software that is not provided within the university. I hope that this may convince more people of the necessity of certain aspects of the tools I use, so that we can collectively ask for them, or tools like them, to be integrated in our own infrastructure.
The talk itself will livestream on https://youtu.be/dfBkuvhvJLw. We can use the text chat next to youtube to ask questions, or to signal someone would like to ask a spoken question in the Jitsi session.

• Friday, 8th of May 2020 at 12:30
Scattering and Huddling by Daniël Kuijsters

Modern ciphers are based on the iterative application of an invertible round function that consists of a number of steps.
Clearly, there is a tension between security and efficiency when choosing the number of rounds.
Making a good choice requires a good understanding of the interplay between design decisions and the applicability of certain classes of attacks.
In this talk, we look at the relation between the partitioning of the index space as derived from the S-box layer and the applicability of differential and linear cryptanalysis to the round function.
Throughout, we consider round functions with the following steps:
1) An S-box layer;
2) A linear layer;
In particular, we consider the round functions of the ciphers Rijndael (AES), Saturnin, Spongent, and Xoodoo.
First, we cover some basic definitions and present the alignment properties of the steps.
Second, we start from the familiar notion of Hamming weight, which reveals the mixing power of the linear layer.
Contrasting this with the box weight, we discuss an effect that we call bit huddling.
Next, we introduce the lambda-box histogram of the linear layer, which reveals its so-called scattering power.
Finally, we take the S-box layer into account and discuss the differential propagation and correlations properties.​

• Friday, 1st of May 2020 at 12:30
by Mireille Hildebrandt and Jaap-Henk Hoepman

nice opportunity and showcase for Privacy-by-Design, or is it a
privacy disaster that we should fight at all cost? Or is the
discussion of privacy only a distraction from the more fundamental
issue that the whole enterprise is just techno-solutionism and that
this piece of technology is not going to solve anything?
Mireille Hildebrandt and Jaap-Henk Hoepman will argue the positions
outlined in
and http://blog.xot.nl/

• Friday, 24th of April 2020 at 12:30
No DiS Lunch (No Speaker)
• Friday, 17th of April 2020 at 12:30
Formal Proofs of Return Address Integrity by Freek Verbeek

We present a methodology for generating a characterization of the memory used by an assembly program, as well as a formal proof that the assembly is bounded to the generated memory regions. A formal proof of memory usage is required for compositional reasoning over assembly programs. Moreover, it can be used to prove low-level security properties, such as integrity of the return address of a function. Our verification method is based on interactive theorem proving, but provides automation by generating pre- and postconditions, invariants, control-flow, and assumptions on memory layout. As a case study, three binaries of the Xen hypervisor are disassembled. These binaries are the result of a complex build-chain compiling production code, and contain various complex and nested loops, large and compound data structures, and functions with over 100 basic blocks. The methodology has been successfully applied to 251 functions, covering 12,252 assembly instructions.

• Friday, 10th of April 2020 at 12:30
No DiS Lunch (Good Friday)
• Friday, 3rd of April 2020 at 12:30
On a Generalization of Substitution-Permutation Networks: The HADES Design Strategy by Lorenzo Grassi

Substitution-Permutation Networks (SPNs) are an approach that is popular since the mid 1990s. Such networks take a block of the plaintext and the key as inputs, and apply several alternating rounds of substitution Boxes (S-Boxes) and permutation boxes to produce the ciphertext block. One of the new directions in the design of these round functions is to reduce the substitution (S-Box) layer from a full one to a partial one, uniformly distributed over all the rounds. LowMC and Zorro are examples of this approach.
A relevant freedom in the design space is to allow for a highly nonuniform distribution of S-Boxes. However, choosing rounds that are so different from each other is very rarely done, as it makes security analysis and implementation much harder. We develop the design strategy Hades and an analysis framework for it, which despite this increased complexity allows for security arguments against many classes of attacks, similar to earlier simpler SPNs. The framework builds up on the wide trail design strategy for SPNs, and it additionally allows for security arguments against algebraic attacks, that are much more of a concern when algebraically simple S-Boxes are used.
As a concrete use-case application, we present a candidate cipher natively working over GF(p) for securing data transfers with distributed databases using secure multiparty computation (MPC). Compared to the currently fastest design MiMC, we observe significant improvements in online bandwidth requirements and throughput with a simultaneous reduction of preprocessing effort, while having a comparable online latency.

• Friday, 27th of March 2020 at 12:30
Investigating differential power analysis of the chi function by Anna Guinet

Differential power analysis (DPA) exploits the dependence between the power consumption of hardware devices and the data processed by the cryptographic function that has been implemented. We analyzed in depth the security of a hardware implementation of the chi function used in cryptographic algorithms like Keccak and Ascon, against DPA, with simulations. Our aim is to quantify the amount of effort that an adversary should put to retrieve the secret by determining the number of power traces needed. In our simulations, the power consumption is modeled as coming entirely from the registers. We extended the previous analysis performed by the Keccak team of the chi function to retrieve more secret bits.

• Friday, 20th of March 2020 at 12:30
No DiS Lunch (Canceled)
• Friday, 13th of March 2020 at 12:30
No DiS Lunch (Canceled)
• Friday, 6th of March 2020 at 12:30
Minerva: A ladder has no windows but can still leak by Ján Jančár

We present our discovery of a group of side-channel vulnerabilities
in implementations of ECDSA in the widely used Atmel AT90SC
FIPS 140-2 certified chip and five cryptographic libraries
(libgcrypt, wolfSSL, MatrixSSL, SunEC/OpenJDK/Oracle JDK, Crypto++).
Vulnerable implementations leak the bit-length of the scalar used
in scalar multiplication via timing information. We utilize this
information leak to form a lattice attack and recover the full
private key after observing thousands of signing operations.
https://minerva.crocs.fi.muni.cz

• Friday, 28th of February 2020 at 12:30
Algebraic and Higher-Order Differential Cryptanalysis of Pyjamask-96 by Jan Schoone

The NIST call for lightweight cryptography has gotten quite some attention. One of the candidates, Pyjamask - a block cipher, was investigated over the summer by Yann Rotella, Christoph Dobraunig and the speaker. In this talk a short summary will be given of the method of our attack and the results. We found a theoretical key-recovery attack that reaches the full-round version of Pyjamask-96.

• Friday, 21st of February 2020 at 12:30
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model by Aldo Gunsing

We present two tweakable wide block cipher modes from doubly-extendable cryptographic keyed (deck) functions and a keyed hash function: double- decker and docked-double-decker. Double-decker is a direct generalization of Farfalle-WBC of Bertoni et al. (ToSC 2017(4)), and is a four-round Feistel network, docked-double-decker is a modified variant. We prove these constructions secure using a new security model for keyed hashes namely the blinded keyed hashing model. We demonstrate that blinded keyed hashing is more general than the conventional notion of XOR-universality, and that it allows us to instantiate our constructions with keyed hash functions that have a very strong claim on bkh security but not necessarily on XOR-universality, such as Xoofffie (ePrint 2018/767).

• Friday, 14th of February 2020 at 12:30
Detection of triggers in Deep Neural Networks by Laurent Floor

Deep Neural Networks have shown human-like accuracies for the classification tasks, like image recognition. Along with the development also comes new security risks. One of them is the implementation of triggers in Neural Networks. They can be used to control the outcome of a network in advance. In this talk, a method is discussed to detect the trigger. During my internship, I have researched the limitations of this detection method.

• Friday, 7th of February 2020 at 12:30
No DiS Lunch (Crypto Working Group in Utrecht)
• Friday, 31st of January 2020 at 12:30
A Compact and Scalable Hardware/Software Co-design of SIKE by Pedro Maat Costa Massolino

We present efficient and compact hardware/software co-design implementations of the Supersingular Isogeny Key Encapsulation (SIKE) protocol on field-programmable gate arrays (FPGAs). In order to be better equipped for different post-quantum scenarios, our architectures were designed to feature high-flexibility by covering all the currently available parameter sets and with support for primes up to 1016 bits. In particular, any of the current SIKE parameters equivalent to the postquantum security of AES-128/192/256 and SHA3-256 can be selected and run on-the-fly. This security scalability property, together with the small footprint and efficiency of our architectures, makes them ideal for embedded applications in a post-quantum world. In addition, the proposed implementations exhibit regular, constant-time execution, which provides protection against timing and simple side-channel attacks. Our results demonstrate that supersingular isogeny-based primitives such as SIDH and SIKE can indeed be deployed for embedded applications featuring competitive performance. For example, our smallest architecture based on a 128-bit MAC unit takes only 3415 slices, 21 BRAMs and 57 DSPs on a Virtex 7 690T and can perform key generation, encapsulation and decapsulation in 14.4, 24.4 and 26.0 milliseconds for SIKEp434 and in 52.3, 86.4 and 93.2 milliseconds for SIKEp751, respectively.

• Monday, 27th of January 2020 at 15:00
Breaking the Bluetooth pairing - or How a Minor Detail Affects a Major Protocol? by Eli Biham

Bluetooth is a widely deployed platform for wireless communications between mobile devices. It uses authenticated Elliptic Curve Diffie-Hellman for its key exchange. We show that the authentication provided by the Bluetooth pairing protocols is insufficient and does not provide the promised MitM protection. We present a new Invalid Curve Attack that preserves the x-coordinate of the public keys. The attack compromises the encryption keys of all of the current Bluetooth authenticated pairing protocols, provided both paired devices are vulnerable. Specifically, it successfully compromises the encryption keys of 50% of the Bluetooth pairing attempts, while in the other 50% the pairing of the victims is terminated. Finally, we show that most of the Bluetooth market is vulnerable. To overcome this attack, the Bluetooth standard was revised, and dozens of vendors patched their implementations.

• Friday, 24th of January 2020 at 13:40
All on Deck! by Gilles Van Assche & Joan Daemen

We will give the talk we gave at Real World Crypto. The talk is about deck functions, a new type of cryptographic primitive that has the ambition to push the block cipher from its throne of favourite building block.

• Friday, 24th of January 2020 at 13:15
Friet-PC, a Permutation with Buit-in Fault Detection by Thierry Simon

In this talk I will present Friet-PC, a 384-bit cryptographic permutation designed to be extended using an error-correcting code. Then, I will discuss the fault-detection capabilities of the resulting permutation. Finally, I will argue that the cost of the added redundancy can be limited by carefully choosing the building blocks of the round function.

• Friday, 24th of January 2020 at 12:30
Trail bounds in Keccak-$f$ by Silvia MELLA

In this talk, I will present a tree-based approach to efficiently scan the space of high-probability differential trails in Keccak-$f$. This technique allows to scan the space of trails with weight per round of 15 and thus to improve bounds for the minimum weight of differential trails in Keccak-$f$ on 3, 4, 5 and 6 rounds.
I will then show some preliminary results obtained by applying the same techniques to bound the weight of linear trails.

• Monday, 20th of January 2020 at 14:00
Side Channels in Cryptographic Software, the Haskell case by Marcel Fourné

In this talk I will make a case for implementing cryptographic algorithms in programming languages with strong type system guarantees.
In the first half I will recapitulate the problem of side-channel attacks and different approaches to prove an implementation side-channel silent, with some tradeoffs.
Following this overview, I will introduce Haskell as a uncommon, but possible cryptographic implementation language and an approach to have a single compiler produce Assembly code and prove that code to be constant time in its handling of secret values.
Changing execution semantics and compiler optimisations pose problems, which I will discuss briefly. I will present an example of a lazy evaluation side-channel which is not as apparent in a strict context and how specific Glasgow Haskell Compiler phases can be analysed.

• Friday, 17th of January 2020 at 12:30
No DiS Lunch (Carpet change)
• Friday, 10th of January 2020 at 12:30
No DiS Lunch (Real World Crypto)
• Friday, 3rd of January 2020 at 12:30
No DiS Lunch (Return from vacations)
• Friday, 20th of December 2019 at 12:30
No DiS Lunch (Last Friday)
• Friday, 13th of December 2019 at 12:30
Compositional Non-Interference for Fine-Grained Concurrent Programs by Dan Frumin

We present SeLoC: a relational separation logic for verifying non-interference of fine-grained concurrent programs in a compositional way. SeLoC is more expressive than previous approaches, both in terms of the features of the target programming language, and in terms of the logic. The target programming language supports dynamically allocated references (pointers), higher-order functions, and fine-grained fork-based concurrency with low-level atomic operators like compare-and-set. The logic provides an invariant mechanism to establish protocols on data that is not protected by locks. This allows us to verify programs that were beyond the reach of previous approaches.
A key technical innovation in SeLoC is a relational version of weakest preconditions to track information flow using separation logic resources. On top of these weakest preconditions we build a type system-like abstraction, using invariants and logical relations. SeLoC has been mechanized on top of the Iris framework in the Coq proof assistant.

• Friday, 6th of December 2019 at 12:30
Evaluating the effectiveness of heuristic worst-case noise analysis in FHE by Rachel Player

We investigate the accuracy of worst-case heuristic bounds on the noise growth in ring-based homomorphic encryption schemes. We use the methodology of Iliashenko (PhD thesis, 2019) to provide a new heuristic noise analysis for the BGV scheme. We demonstrate that for both the BGV and FV schemes, this approach gives tighter bounds than previous heuristic bounds, by as much as 10 bits of noise budget. Then, we provide experimental data on the noise growth of HElib and SEAL ciphertexts, in order to evaluate how well the heuristic bounds model the noise growth in practice. We find that, in spite of our improvements, there is still a gap between the heuristic estimate of the noise and the observed noise in practice. We extensively justify that the heuristic worst-case approach inherently leads to this gap, and hence leads to selecting significantly larger parameters than needed. We propose tightening this gap as an open problem, and suggest a possible solution. As an additional contribution, we update the comparison between the two schemes presented by Costache and Smart (CT-RSA, 2016). Using the new analysis, we show that FV has a slight advantage over BGV, even for large plaintext modulus, in contrast to the findings of Costache and Smart.

Joint work with Anamaria Costache and Kim Laine.

• Friday, 29th of November 2019 at 12:30
No DiS Lunch (Crypto Working Group in Utrecht)
• Friday, 22nd of November 2019 at 15:15
Generalized Secret Sharing Schemes using N-mu-MDS Codes by Vishal Saraswat

Secret sharing schemes are one of the essential mechanisms for safeguarding secret information and have found many applications in modern cryptographic protocols such as distributed computing, secure multiparty computations, threshold cryptography, attribute-based encryption, access control, generalized oblivious transfer and Byzantine agreement. We propose an N-mu-MDS codes based efficient generalized secret sharing scheme which is ideal and perfect and has the desirable security features of cheating detection and cheater identification.

• Friday, 22nd of November 2019 at 12:30
No DiS Lunch (cancelled)
• Wednesday, 20th of November 2019 at 14:30
Practical Post-Quantum Cryptography by Joost Rijneveld

This thesis is a collection of the work I have done at Radboud University between 2015 and 2019, under the super­vision of Peter Schwabe and in collaboration with a wide range of coauthors.

The work consists of three separate chapters, discussing (specific schemes and optimization targets within the realms of) hash-based signatures, MQ-based signatures and lattice-based KEMs. While 'post-quantum cryp­tog­ra­phy' is the obvious commonality, the real focus of this work is on cryptographic en­gi­neer­ing, and most of my contributions involve software optimization.

• Friday, 15th of November 2019 at 12:30
Why smart cards do not make the enterprise more secure
(Practical attacks on cryptographic systems in enterprise networks)
by Stan Hegt

In recent years many organisations have implemented smart card authentication or other forms of two-factor authentication as a measure to reduce the risks associated with traditional password-based authentication. However, the low level details of underlying protocols in Windows networks such as Kerberos and NTLM introduce new security caveats when combined with smart cards. Although secure algorithms and protocols are used as building blocks, they can still yield insecure cryptographic systems when combined. In this talk I will demonstrate this via various practical attacks on the cryptographic systems that are used in modern Windows networks.

• Monday, 11th of November 2019 at 16:30
Categorical approaches to computations in contextuality and causality by Sander Uijlen

• Friday, 8th of November 2019 at 12:30
Speaking Computer Science to Law by Mireille Hildebrandt

In this talk I will explain why the COHUBICOL ERC project on ‘innovation in legal method’ is hiring CS postdocs at iCIS

We now have a number of outrageous (?) claims regarding so-called ‘legal tech’. This regards (1) ’smart contracts’ and ’smart regulation’ (or ‘persistent script’ as Vitalik said he should have coined it), and (2) the use of machine learning to either mine argumentation lines rom relevant legal sources (legislation, case law, doctrine) or to predict legal judgements (based on NLP, voting behaviour of judges).

The COHUBICOL project aims to (1) investigate the CS assumptions on which such claims are based, (2) the extent to which such claims can be verified AND falsified, (3) to develop an assessment framework that enables lawyers to test and contest such claims. The role of the computer scientists will be to contribute to a proper understanding on the side of the legal team of what computing systems can and cannot deliver, such that the legal team learns to ask the right types of questions and is able to sufficiently understand the answers.

• Friday, 25th of October 2019 at 12:30
Advance Use of Git by Benoît Viguier

Disclaimer: if you don't like command line interfaces, this talk is not for you.

In this talk I will review more advanced features of Git; such as branching, merging, rebasing, resetting etc. I will also motivate some good practices.

• Friday, 18th of October 2019 at 12:30
How to Break Attribute-Based Encryption by Marloes Venema

Attribute-based encryption (ABE) is a type of public-key cryptography that associates key-pairs with attributes rather than identities. For this reason, many users can possess secret keys for one or more of the same attributes. Moreover, users might want to collude by pooling their secret keys together such that they might be able to decrypt ciphertexts that they cannot decrypt individually. This is not allowed in secure ABE. Because both the ciphertexts and the secret keys require strong security guarantees, designing provably secure ABE is difficult. As a result, several ABE schemes are broken despite having security proofs. In this talk, I will show how to make and break ABE, and how (crypt)analysis of an ABE scheme can be simplified by reducing schemes to an efficient and structured notation.

• Friday, 11th of October 2019 at 12:30
Recent Developments in Deep Learning for Implementation Attacks by Stjepan Picek

Recent years showed that machine learning can be a powerful paradigm for implementation attacks, especially profiling side-channel attacks (SCAs). Still, despite all the success, we are limited in our understanding when and how to select appropriate machine learning techniques. Additionally, the results we can obtain are empirical and valid for specific cases where generalization is often difficult. In this talk, we discuss several well-known machine learning techniques, the results obtained, and their limitations. Next, we concentrate on deep learning techniques and potential benefits such techniques can bring to SCA, with an emphasis on real-world scenarios. In the last part of the talk, we discuss how various AI techniques can be used for fault injection attacks.

• Tuesday, 8th of October 2019 at 14:30
Effectuses in Categorical Quantum Foundations by Kenta Cho

• Friday, 4th of October 2019 at 12:30
How to (not) implement modular reduction for 3329? by Pedro Maat Costa Massolino

In this talk, I will talk about a very "controversial" subject, one of Kyber's new parameter for the second round in NIST PQC.
More specifically, I will talk about how to perform modular reduction for the new Kyber's prime, aka 3329.
I will compare the method based on the original documentation with Montgomery reduction, and with pseudo Mersenne reduction.
I will show some results in hardware (FPGA and ASIC) of the two strategies, and even show that writing the same thing a little different can lead to interesting results.

• Friday, 27th of September 2019 at 12:30
Embedded Post-Quantum Crypto: pqm4 and Kyber on Cortex-M4 by Matthias Kannwischer

In this talk, I'm going to present a memory-efficient high-speed implementation of Kyber for the ARM Cortex-M4 that was presented at Africacrypt 2019.
Furthermore, I am going to present recent results of the Cortex-M4 benchmarking project pqm4 which aims to cover all the NIST PQC candidates. pqm4 was presented last month at the Second NIST PQC Standardization Conference in Santa Barbara.

• Friday, 20th of September 2019 at 12:30
A week in the life of a cyber security consultant at Deloitte by Colin Schappin

Deloitte's cyber security team consists of around 230 professionals, with people specializing in payment security, malware analysis, red teaming and much more. We will discuss the great variety of backgrounds that are present in our team and talk about many interesting projects that our colleagues work on.

• Friday, 13th of September 2019 at 12:30
A Reaction Attack against Cryptosystems based on LRPC Codes by Simona Samardjiska

Rank metric is a very promising research direction for code-based cryptography. In fact, thanks to the high complexity of generic decoding attacks against codes in this metric, it is possible to easily select parameters that yield very small data sizes. In this talk I will present the results from a recent paper where we analyze cryptosystems based on Low-Rank Parity-Check (LRPC) codes, one of the classes of codes that are efficiently decodable in the rank metric. We show how to exploit the decoding failure rate, which is an inherent feature of these codes, to devise a reaction attack aimed at recovering the private key. As a case study, we cryptanalyze the 1st round McNie submission to NIST’s Post-Quantum Standardization process. In the paper, we provide details of a simple implementation to validate our approach.

• Friday, 6th of September 2019 at 12:15
Automatic Tools in Cryptanalysis — Analysis of the MD4 Family of Hash Functions by Florian Mendel from Infineon Technologies

Research in symmetric cryptography in the last few years is mainly driven by dedicated high-profile open competitions such as NIST’s AES and SHA-3 selection procedures, or the ongoing NIST LWC initiative. While these focused competitions in symmetric cryptography are generally viewed as having provided a tremendous increase in the understanding and confidence in the security of these cryptographic primitives, the large number of submissions to such competitions reveal major problems related to analytical effort for the cryptographic community. Therefore, automatic tools are needed to assist the cryptanalysts in their work. In this talk, we will present an automatic tool/framework for differential cryptanalysis. Although the tool was originally designed for the analysis of hash functions, we think that it might be also of some interest for the analysis of other cryptographic primitives as for instance the NIST LWC candidates

• Friday, 23rd of August 2019 at 14:30
Exploiting Horizontal Leakage in Public Key Cryptosystems by Lukasz Chmielewski

• Friday, 23rd of August 2019 at 14:30
Security on the Line: Modern Curve-based Cryptography by Joost Renes

• Tuesday, 9th of July 2019 at 12:30
OTRv4, the newest version of the Off-The-Record protocol. by Sofía Celi

OTRv4 is the newest version of the Off-The-Record protocol. As a Privacy Enhancing Technology, it is a protocol where the newest academic research intertwines with real-world implementations. This new version asks us to revisit definitions around deniability (participation, message, online and offline), forward and post-compromise secrecy, and how important they are to the world. In this talk, we will examine the key security properties that secure messaging protocols and applications should have. We will explore how these properties are achieved in OTRv4, in particular, and why they are needed in today’s world.

• Friday, 5th of July 2019 at 12:30
The Art of The Scam: Demystifying Honeypots in Ethereum Smart Contracts by Christof Torres

Modern blockchains, such as Ethereum, enable the execution of so-called smart contracts – programs that are executed across a decentralised network of nodes. As smart contracts become more popular and carry more value, they become more of an interesting target for attackers. In the past few years, several smart contracts have been found to be vulnerable and thus exploited by attackers. However, a new trend towards a more proactive approach seems to be on the rise, where attackers do not search for vulnerable contracts anymore. Instead, they try to lure their victims into traps by deploying vulnerable-looking contracts that contain hidden traps. This new type of contracts is commonly referred to as honeypots. In this paper, we present the first systematic analysis of honeypot smart contracts, by investigating their prevalence, behaviour and impact on the Ethereum blockchain. We develop a taxonomy of honeypot techniques and use this to build HONEYBADGER – a tool that employs symbolic execution and well defined heuristics to expose honeypots. We perform a large-scale analysis on more than 2 million smart contracts and show that our tool not only achieves high precision, but also high scalability. We identify 690 honeypot smart contracts as well as 240 victims in the wild, with an accumulated profit of more than $90,000 for the honeypot creators. Our manual validation shows that 87% of the reported contracts are indeed honeypots. • Friday, 28th of June 2019 at 12:30 No DiS Lunch (No Speaker) • Friday, 21st of June 2019 at 12:30 No DiS Lunch (Croatia Summer school week) • Friday, 14th of June 2019 at 12:30 No DiS Lunch (No Speaker) • Friday, 7th of June 2019 at 12:30 IoT at Qbit Cyber Security by Willem Westerhof & Pieter Meulenhoff Qbit Cyber Security, originating from ITsec, the oldest ICT security organisation in the Netherlands is specialised in performing Security Assessments. In the context of the ICT landscape changing to an environment where everything is "connected", Qbit is developing an IoT testing lab environment for the purpose of testing IoT devices. Part of the IoT lab is a cooperation with organisation such as the Consumentenbond and several applied universities. During the presentation we will explain who we are, what we do, how we can work together and will show anonymised cases and examples as seen in practice. • Friday, 31st of May 2019 at 12:30 No DiS Lunch (Ascension Friday) • Tuesday, 28th of May 2019 at 14:30 Contextual Identity in Practice by Brinda Badarinath Hampiholi • Friday, 24th of May 2019 at 11:00 How do banks manage crypto? by Bárbara Vieira In this talk the speaker will introduce how cryptography is managed within ABN AMRO bank. The speaker will also address current crypto-related challenges in the financial sector. • Friday, 17th of May 2019 at 12:30 Practical approach to enhance inter-organisational use of API’s with nlx.io by Eelco Hotting NLX is an open source inter-organisational system facilitating federated authentication, secure connecting and protocolling in a large-scale, dynamic API landscape.” Governmental organizations in The Netherlands find themselves in the unique position where many API providers and consumers from many organizations have to interact in n-m relationships. Current mechanisms to use API’s from external organizations come with cumbersome bureaucratic processes. With NLX we aim to eliminate man-in-the-middle constructions, decreasing administrative overhead. We aim to optimize for speed and a high level of security. By using the NLX network all API calls are logged in a way that enables the data provider to become GDPR compliant, e.g. by giving insight in data usage. As this is a non-commercial, Open Source initiative started by local governments, we’d love to confront the work in progress with your crowd and see if it survives. • Tuesday, 14th of May 2019 at 12:30 Dagger and Dilation in the Category of Von Neumann algebras by Bas Westerbaan This doctoral thesis is a mathematical study of quantum computing, concentrating on two related, but independent topics. First up are dilations, covered in chapter 2. In chapter 3 "diamond, and then, dagger" we turn to the second topic: effectus theory. Both chapters, or rather parts, can be read separately and feature a comprehensive introduction of their own. • Tuesday, 14th of May 2019 at 10:30 The Category of Von Neumann Algebras by Bram Westerbaan In this dissertation we study the category of completely positive normal contractive maps between von Neumann algebras. It includes an extensive introduction to the basic theory of$C^∗$-algebras and von Neumann algebras. • Friday, 10th of May 2019 at 12:30 What can I do with string diagrams by Kang Feng In this talk, I will be introducing what are string diagrams and how to do arithmetic (just natural numbers) with string diagrams. The talk assumes no deep understanding of mathematics, but you need to know how to count. If time permits, I may say a little on how string diagrams are used for quantum circuits. • Friday, 3rd of May 2019 at 12:30 by No DiS Lunch (No Speaker) • Friday, 26th of April 2019 at 12:30 SCA simulators: the why, the what and some (unexpected) challenges by Ileana Buhan Side channel attacks target the implementation of crypto algorithms. As the target of a side channel attack is implementation, evaluations can be done only when the product is finished. As a developer, however, you want to know if your implementation is vulnerable early during the development cycle and not just before your product is ready to launch. The first step in a typical SCA evaluation is the acquisition of power traces using an oscilloscope. An SCA simulator creates traces similar to the one collected with an oscilloscope, and in theory, could be used during development. In this talk, I will go over the different classes of simulators, their advantages, and disadvantages and will highlight the challenges of fairly comparing them. • Friday, 19th of April 2019 at 12:30 No DiS Lunch (Good Friday) • Friday, 12th of April 2019 at 12:00 Towards an understanding of fingerprints and fingerprint surface by Rik Dolfing When fingerprinting is discussed, a lot of different terminology is used. Studies use different terms, are not always clear about the studied features and propose methods which lack a fundamental approach. There is an understanding about the concept of fingerprinting, but it lacks a fundamental way to reason about it. We talk about a fingerprint surface and propose a taxonomy to use when discussing this topic. We applied our taxonomy to important studies over multiple years and reason about counter measures. We argue that the fingerprint surface is a fundamentally hard to problem, as it is hard to be complete in every category. We identified the browser property category that can be complete and introduce Prop-test to return the entire fingerprint surface for this category. • Friday, 5th of April 2019 at 12:30 Grobner Basis algorithms and symmetric cryptanalysis by Marc Stevens In this talk I will discuss cryptanalytic applications of Grobner Basis algorithms and some possible directions of improvements. • Tuesday, 2nd of April 2019 at 12:30 Attacks on Filtered LFSR using Finite Field Structure by Yann Rotella Filter generators are vulnerable to several attacks which have led to well-known design criteria on the Boolean filtering function (mainly Algebraic Immunity and Nonlinearity). However, Rønjom and Cid have observed that a change of the primitive root defining the LFSR leads to several equivalent generators. They usually offer different security levels since they involve filtering functions of the form$F(x^k)$where$k$is coprime to$(2^{n-1})$and$n$denotes the LFSR length. We prove that this monomial equivalence does not affect the resistance of the generator against algebraic attacks, but usually impacts the resistance to correlation attacks. Most importantly, a more efficient attack can often be mounted by considering non-bijective monomial mappings. In this setting, a divide-and-conquer strategy applies based on a search within a multiplicative subgroup of$F_{2^n}^*$. Moreover, if the LFSR length n is not a prime, a fast correlation attack involving a shorter LFSR can be performed. This attack is generic and uses the decomposition in the multiplicative subgroups of$F_{2^n}^*$, leading to new design criteria for Boolean functions used in Cryptography. • Friday, 29th of March 2019 at 12:30 No DiS Lunch (FSE) • Friday, 22nd of March 2019 at 12:30 No DiS Lunch (PhD Defense) • Friday, 22nd of March 2019 at 10:30 Side-channel attacks and countermeasures on Elliptic Curve Cryptography by Louiza Papachristodoulou Encrypted devices have become part of our day to day lives and it is very important to protect such devices against malicious users. Physical attacks are a common threat to the security of embedded devices. A malicious user can decipher secret information by measuring the time that an algorithm takes to execute, the power consumption, the electromagnetic emanations or other physical quantities that could form a meaningful physical leak. Louiza Papachristodoulou’s PhD research centred on the security of cryptographic algorithms with public keys, and specifically on Elliptic Curve Cryptography (ECC). ECC is generally used for implementing asymmetric cryptographic protocols in integrated systems. In her thesis, Papachristodoulou presents a powerful, new attack method called Online Template Attacks which has broad applicability in various ECC implementations. Further to this, she presents and evaluates algorithmic and numerical countermeasures that provide new insights for safe implementations. • Friday, 15th of March 2019 at 12:30 Discrimination, Artificial Intelligence and Algorithmic Decision-Making by Frederik Zuiderveen Borgesius I will present some highlights from a report that he wrote recently for the council of Europe about ‘Discrimination, artificial intelligence, and algorithmic decision-making’. AI-driven decisions can have far-reaching effects. The police can use AI to predict who will commit crimes. Banks can use AI to decide whether to give somebody a mortgage. AI decisions can seem rational and unbiased. But, unfortunately, AI can have discriminatory effects, for instance when AI systems learn from biased human decisions. The report examines which legal protection exists in Europe against AI-driven discrimination, and how that protection could be improved. The report can be found here. • Thursday, 14th of March 2019 at 12:30 Investigations of trail bounds for Noekeon-64 by Jonathan Fuchs In this talk, we will show how to apply the techniques for trail bounds published by Mella, S., Daemen, J., & Van Assche, G. to the Noekeon block cipher. This method consists of identifying independent regions of the state of the cipher with regards to its round function, allowing for efficient pruning of the search space. Using this method, we are able to reproduce past results for the original 128 bits variant of Noekeon and generate new differential trail bounds for a 64-bit variant. • Friday, 8th of March 2019 at 12:30 Leakage-Resilient AE & Single-Trace Attacks by Robert Primas Passive implementation attacks such as Differential Power Analysis (DPA) are powerful tools for extracting secrets from cryptographic implementations that only require the attacker to observe a device's power consumption during normal operation. In this talk I will revisit this topic, both from the defender's and the attacker's point of view. First, I will present ISAP v2.0, a lightweight and DPA secure authenticated encryption mode that was submitted by colleagues and myself to the NIST competition for lightweight cryptography. In the second part I present work on single-trace attacks, i.e., attacks that can recover secrets even if the attacker is restricted to observing only one power trace of a cryptographic computation. As a concrete example I will show how such an attack can be used to extract a private key from a masked RLWE-based encryption scheme. • Friday, 1st of March 2019 at 12:30 Constrained Gaussian elimination for quantum CNOT circuit routing by Arianne Meijer In order to execute a (logical) quantum circuit on a physical quantum computer, the original circuit needs to be adjusted such that the used gates are present in the architecture of the quantum computer. In this talk, an approach to routing circuits consisting of only CNOT gates (parity maps) is presented. In short, the circuit is first condensed to its matrix representation and an equivalent circuit is extracted from the matrix such that it obeys the given architecture. This is done with a constrained Gaussian elimination that uses Steiner trees and a given Hamiltonian path over the architecture. This method can be optimized with a genetic algorithm by searching for an optimal mapping from logical qubits to their physical location in the architecture. The resulting circuits use less CNOT gates than the compiled circuits obtained from the Quil compiler. • Friday, 22nd of February 2019 at 12:30 No DiS Lunch (No speakers) • Friday, 15th of February 2019 at 12:30 Data refinement for Cogent by Gabriele Keller Cogent is a high-level functional language that reduces the cost of writing and formally verifying efficient systems code. In this talk, I'll give a brief introduction of the language, and talk about our current work, on supporting data layout descriptions which enable customising memory layouts of Cogent algebraic datatypes. This extension allows programmers to write more code in Cogent and to integrate Cogent code with existing C programs (e.g. the Linux kernel) more seamlessly. • Friday, 8th of February 2019 at 12:30 Faster polynomial multiplication on Cortex M4 to speed up NIST candidates by Joost Rijneveld In 2016, NIST put out a call for proposals for digital signature schemes and key exchange methods that can hold up against an adversary that has a quantum computer. In November of 2017, a large collection of such schemes was submitted for consideration, based on a wild variety new and existing mathematical structures. For this work, we look at the key exchange schemes that make use of multiplication over$Z_{2^m}[x]$, and optimize this operation on the Cortex M4. In this talk, I will describe how we optimize small polynomial multiplications on the M4, review larger multiplication using Karatsuba's and Toom-Cook's methods, and discuss our design-space exploration towards finding the optimal multiplication methods for the various schemes. • Friday, 1st of February 2019 at 12:30 No DiS Lunch (Expected speaker not present) • Friday, 25th of January 2019 at 12:30 MineSweeper: An in-depth look into drive-by cryptocurrency mining and its defense by Veelasha Moonsamy A wave of alternative coins that can be effectively mined without specialized hardware, and a surge in cryptocurrencies’ market value has led to the development of cryptocurrency mining (cryptomining) services, such as Coinhive, which can be easily integrated into websites to monetize the computational power of their visitors. While legitimate website operators are exploring these services as an alternative to advertisements, they have also drawn the attention of cybercriminals: drive-by mining (also known as cryptojacking) is a new web-based attack, in which an infected website secretly executes JavaScript code and/or a WebAssembly module in the user’s browser to mine cryptocurrencies without their consent. In this talk, I will elaborate on the comprehensive analysis we performed on Alexa’s Top 1 Million websites to shed light on the prevalence and profitability of this attack. We study the websites affected by drive-by mining to understand the techniques being used to evade detection, and the latest web technologies being exploited to efficiently mine cryptocurrency. As a result of our study, which covers 28 Coinhive-like services that are widely being used by drive-by mining websites, we identified 20 active cryptomining campaigns. Furthermore, motivated by our findings, we investigate possible countermeasures against this type of attack. I will discuss how current blacklisting approaches and heuristics based on CPU usage are insufficient, and present MineSweeper, a novel detection technique that is based on the intrinsic characteristics of cryptomining code, and, thus, is resilient to obfuscation. • Friday, 18th of January 2019 at 12:30 Template attack: Is the data and crypto scientist's point of view different? by Léo Weissbart Side-channel attacks (SCA) are perpetrated by a third party during a communication and take advantage of information leaks, from a device or an algorithm, to infer secret data. One powerful type of SCA is template attack (TA) and, as other types profiling attacks, relies on the principle : Evaluate a trend from a known data leaks to create models characterizing it, and applying the models on an unknown leak to identify it. While this method have been designed to be used for SCA purpose, it remains a probabilistic approach to solve an automation problem of classification. This problem is frequently solved in data science with different methods (e.g. SVM, RF). Those methods show good results on many applications similar to SCA, of which I will present some resolution approaches to SCA solving by data scientist methods. • Friday, 11th of January 2019 at 12:30 No DiS Lunch (Real World Crypto) • Friday, 4th of January 2019 at 12:30 No DiS Lunch (Vacations) • Friday, 14th of December 2018 at 12:30 No DiS Lunch (last Friday) • Friday, 14th of December 2018 at 12:30 No DiS Lunch (PI Lab meeting) • Friday, 7th of December 2018 at 12:30 Linear cryptography over$GF(P)$by Tim van Dijk The community that studies functions over$GF(2)$and$GF(2^n)$does not stop at the binary case, but also studies functions over$GF(P)$. The work I do here during my research internship focuses on linear cryptography over$GF(P)$, trying to capitalize on the large amount of theoretical results over$GF(P)$. I will briefly explain how I implemented various bit-sliced operations over$GF(3)$,$GF(5)$and$GF(7)$and how I modified the Walsh-Hadamard transform to work over$GF(P)$. Then, the remainder of the talk will be about using differential cryptanalysis to find collisions in Message Authentication Codes. In order to find collisions one needs to find a trail with a high differential probability. I will show how evolutionary algorithms can be applied to find such a trail. • Friday, 23rd of November 2018 at 12:30 Symbolic Analysis to Prevent Spectre Attacks by Sunjay Cauligi I will introduce a semantic framework for modeling speculative/out-of-order execution, and show how this framework can be used to reason about several variants of Spectre. I will also propose a method of using symbolic analysis based on this model to check cryptographic code for potential Spectre vulnerabilities. • Friday, 16th of November 2018 at 13:00 A computer scientist introduction to quantum computing by John Van de Wetering In this Digital Security lunch I walk talk neither about security nor about digital systems. Instead I will give a computer scientist introduction to quantum computing. I will discuss why you should care about quantum computers (spoiler: it is not because it breaks RSA), how you do actual computations and what the challenges are in getting an actual practical scale quantum computer to work. This discussion will then converge to the topic that Aleks and I have been working on, namely optimizing quantum circuits. Using a completely different method than the competition, we are able to make circuits more efficient than the current state-of-the-art. • Friday, 16th of November 2018 at 12:30 Vulnerabilities in hardware encryption of SSDs (continued) by Carlo Meijer Continuation of Carlo's previous talk with a demo on SSDs. • Friday, 9th of November 2018 at 13:30 Anomaly detector for Cyber-Physical Industrial Systems by Anna Guinet As an evolution of traditional industrial control systems, cyber-physical industrial systems combine feedback control theory with computing and communication capabilities. Attacks against these critical systems shall be handled both in terms of safety and security. In doing so, we propose a challenge-response detector, based on control-theoretic watermarks, that handles integrity attacks. The detector is robust against adversaries that are able to acquire knowledge of the system's parameters, through the network, to compromise the physical behavior. • Friday, 9th of November 2018 at 12:30 Vulnerabilities in hardware encryption of SSDs by Carlo Meijer We have analyzed the hardware full-disk encryption implementation of several Self-Encrypting Drives (SEDs) from Samsung and Crucial (Micron) by reverse engineering their firmwares. The vendors combined cover a majority of the market share of SEDs sold today. In theory, the security guarantees offered by hardware encryption are similar to those of software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret. BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-disk encryption if the drive advertises supported for it. Thus, for these drives, data protected by BitLocker is also compromised. This challenges the view that full-disk encryption implemented in hardware is preferable over software. We conclude that one should not rely solely on hardware encryption offered by SEDs. public announcement • Friday, 2nd of November 2018 at 12:30 No DiS Lunch (Vacations) • Friday, 26th of October 2018 at 12:30 Inside Job: Applying Traffic Analysis to Measure Tor from Within. by Rafa Gálvez In this paper, we explore traffic analysis attacks on Tor that are conducted solely with middle relays rather than with relays from the entry or exit positions. We create a methodology to apply novel Tor circuit and website fingerprinting from middle relays to detect onion service usage; that is, we are able to identify websites with hidden network addresses by their traffic patterns. We also carry out the first privacy-preserving popularity measurement of a single social networking website hosted as an onion service by deploying our novel circuit and website fingerprinting techniques in the wild. Our results show: (i) that the middle position enables wide-scale monitoring and measurement not possible from a comparable resource deployment in other relay positions, (ii) that traffic fingerprinting techniques are as effective from the middle relay position as prior works show from a guard relay, and (iii) that an adversary can use our fingerprinting methodology to discover the popularity of onion services, or as a filter to target specific nodes in the network, such as particular guard relays. • Friday, 19th of October 2018 at 12:30 Shepherd: an automatic and large-scale study of website login security by Hugo Jonker More and more parts of the internet are hidden behind a login field. This poses a barrier to any study predicated on scanning the internet. Moreover, the authentication process itself may be a weak point. To study authentication weaknesses at scale, automated login capabilities are needed. In this work we introduce Shepherd, a scanning framework to automatically log in on websites. The Shepherd framework enables us to perform large-scale scans of post-login aspects of websites. Shepherd scans a website for login fields, attempts to submit credentials and evaluates whether login was successful. We illustrate Shepherd’s ca pabilities by means of a scan for session hijacking susceptibility. In this study, we use a set of unverified website credentials, some of which will be invalid. Using this set, Shepherd is able to fully automatically log in and verify that it is indeed logged in on 6,273 unknown sites, or 12.4% of the test set. We found that from our (biased) test set, 2,579 sites, i.e., 41.4%, are vulnerable to simple session hijacking attacks. • Monday, 15th of October 2018 at 12:30 Collision Attacks on Round-Reduced Keccak by Sing Long This talk presents the first practical collision attack on 5-round SHA3-256. This is obtained by constructing a 2-round connector which links the initial state with a 3-round differential trail. The collision of 5-round SHA3-256 is possible due to an improved algorithm for constructing connectors and a dedicated algorithm for searching differential trails. • Friday, 12th of October 2018 at 12:30 Strings considered harmful by Erik Poll LangSec provides good insights in the root causes of security vulnerabilities (which are typically in input handling) and in software engineering approaches to tackle these root causes. LangSec efforts focus on eridating parsing bugs, but there is a second class of bugs where better parsing does not help: the class of forwarding bugs, which are due to unwanted instead of buggy parsing. We'll discuss this class of bugs, its root causes, and ways to tackle these (notably using types). • Friday, 5th of October 2018 at 12:30 Classical security of SIKE by Joost Renes With the possible uprise of large quantum computers, the standardization procedure by NIST for post-quantum protocols has begun. A protocol I am a contributer to is SIKE, which is unique for being based on the problem of finding isogenies between supersingular elliptic curves. In this talk I will give a brief introduction to the protocol, and then describe the latest developments with respect to its classical security. This has been the subject of a 3-month summer internship at Microsoft Research. • Friday, 28th of September 2018 at 12:30 Causation in a black-box world by Aleks Kissinger It is a well-known platitude that correlation does not imply causation. Indeed the decline of piracy seems to have little causal effect on climate change, in spite of a strong correlation. However, in seminal work due to Pearl, Spirtes, Lauritzen, and others in the early 90s, it was shown (perhaps surprisingly) that under certain circumstances, it is possible to draw causal conclusions purely from observed statistical correlations. Since then, the field of statistical causal inference has given us a big bag of techniques for discovering and measuring causal effects, even in the presence of hidden confounders and selection bias. Indeed, quite a few of our friends downstairs in DaS are working on just that. In this talk, I will give a high-level perspective on causal discovery and inference problems, using the language of process theories. A process theory gives us the bear minimum structure we need to talk about "black boxes" and the fundamental operation of "plugging boxes together" into diagrams of boxes and wires. From there, we can introduce a couple of extra ingredients which enable us to do calculations directly on the diagrams. After introducing some ingredients which are especially helpful for causal inference, I will work through a simple, classic example. Namely, I will show that smoking causes cancer. • Friday, 21st of September 2018 at 12:45 No DiS Lunch (No Speakers) • Friday, 14th of September 2018 at 12:45 No DiS Lunch (Crypto Working Group meeting) • Friday, 7th of September 2018 at 12:30 Intermittent Computing, its vulnerabilities and a protocol to secure its power transitions by Archanaa S. Krishnan In the field of Internet of Things, self-powered devices provide a sustainable alternative to battery powered devices, but they suffer from frequent power loss due to lack of input power. Power loss is handled differently based on the computing model. Conventional computing systems, which do not consider power loss in their computing model, respond to a power loss by losing all the volatile state and by restarting the device upon the next power-up. Whereas intermittent computing systems, which are designed to handle frequent power loses, prevent restarting by storing a snapshot of the device state as a checkpoint in non-volatile memory. Upon the next power-up, the device is restored with the most recent checkpoint and resumes application execution. All the security sensitive data from both the system and application state are stored in a checkpoint. We show that an attacker with access to the non-volatile memory can identify the checkpoints and the vulnerable information stored in them. They have the ability to view, tamper and replay checkpoints without alerting the device. To overcome these vulnerabilities, we designed the Secure Intermittent Computing Protocol, which provides the following security features to the checkpoints of an intermittent system. First, it provides basic information security to checkpoints. Second, it introduces uniqueness to the checkpoints to detect checkpoint replay. Third, the checkpoints are chained to preserve the order of checkpoints. As the protocol is designed for intermittent systems, it is atomic in design to protect checkpoint generation and restoration process form power loss. • Friday, 7th of September 2018 at 11:30 Opportunistic Networks by Carlos Borrego The network paradigm Opportunistic Networking (OppNet) is extremely useful when source and destination nodes are intermittently connected. Examples of this include scenarios where there is no network infrastructure such as emergency scenarios, disconnected ad-hoc networks or more recently, device-to-device vehicular communications. In OppNet, messages are being created and forwarded from one node to another if found. Otherwise, the message has to patiently wait until it is forwarded and finally delivered (or not) to its final destination. In this talk, I will present several published studies where cryptographic tools such as homomorphic encryption, identity-based cryptography and fair exchange signature schemes are used to improve forwarding and delivery decisions in OppNet. • Friday, 7th of September 2018 at 10:30 On Statistical (Ineffective) Fault Attacks by Christoph Dobraunig This talk will be about statistical fault attacks (SFA) and statistical ineffective fault attacks (SIFA). I will cover the basic working principle and idea of these attacks and show possible applications. In particular, we will see how to attack implementations protected with both, masking and detection-based fault countermeasures, using a single fault induction per execution. • Friday, 7th of September 2018 at 10:00 Differential trails clustering for Xoodoo by Nicolas Bordes This talk will be an attempt to summarize the basics of differential cryptanalysis and explain how to search for a cluster of differential trails. We will also see an application to Xoodoo, a new permutation which design is inspired by Keccak. • Friday, 24th of August 2018 at 12:45 Investigating Fingerprinters and Fingerprinting-alike Behaviour of Android Applications by Christof Torres Fingerprinting of browsers has been thoroughly investigated. In contrast, mobile phone applications offer a far wider array of attributes for profiling, yet fingerprinting practices on this platform have hardly received attention. In this paper, we present the first (to our knowledge) investigation of Android libraries by commercial fingerprinters. Interestingly enough, there is a marked difference with fingerprinting desktop browsers. We did not find evidence of typical fingerprinting techniques such as canvas fingerprinting. Secondly, we searched for behaviour resembling that of commercial fingerprinters. We performed a detailed analysis of six similar libraries. Thirdly, we investigated ∼30,000 apps and found that roughly 19% of these apps is using one of the these libraries. Finally, we checked how often these libraries were used by apps subject to the Children’s Online Privacy Protection Act (i.e. apps targeted explicitly at children), and found that these libraries were included 21 times. • Friday, 24th of August 2018 at 11:30 Untagging Tor: A Formal Treatment of Onion Encryption by Martijn Stam joint work with Jean Paul Degabriele (presented at RWC'18 and published at Eurocrypt'18). Tor is a primary tool for maintaining anonymity online. It provides a low-latency, circuit-based, bidirectional secure channel between two parties through a network of onion routers, with the aim of obscuring exactly who is talking to whom, even to adversaries controlling part of the network. Tor relies heavily on cryptographic techniques, yet its onion encryption scheme is susceptible to tagging attacks (Fu and Ling, 2009), which allow an active adversary controlling the first and last node of a circuit to deanonymize with near-certainty. This contrasts with less active traffic correlation attacks, where the same adversary can at best deanonymize with high probability. The Tor project has been actively looking to defend against tagging attacks and its most concrete alternative is proposal 261, which specifies a new onion encryption scheme based on a variable-input-length tweakable cipher. We provide a formal treatment of low-latency, circuit-based onion encryption, relaxed to the unidirectional setting, by expanding existing secure channel notions to the new setting and introducing circuit hiding to capture the anonymity aspect of Tor. We demonstrate that circuit hiding prevents tagging attacks and show proposal 261’s relay protocol is circuit hiding and thus resistant against tagging attacks. • Friday, 6th of July 2018 at 12:45 Pre- and post-quantum Diffie--Hellmans by Benjamin Smith CSIDH (Commutative Supersingular Isogeny Diffie--Hellman) is a postquantum cryptosystem, which, as its name suggests, is intended as a drop-in replacement for classic Diffie--Hellman in practice. In theory, it is a concrete instantiation of Couveignes "Hard Homogeneous Spaces" key exchange. While HHS key exchange has a clear algebraic resemblance to Diffie--Hellman on the surface, but the deeper you go, the weirder it gets. In this talk we will explore some of the crucial differences between DH, ECDH, and CSIDH, while avoiding too much depth and weirdness. • Friday, 22nd of June 2018 at 12:45 Linear Cryptanalysis of Morus by Benoit Viguier MORUS is a high-performance authenticated encryption algorithm submitted to the CAESAR competition, and recently selected as a finalist. There are three versions of MORUS: MORUS-640 with a 128-bit key, and MORUS-1280 with 128-bit or 256-bit keys. For all versions the security claim for confidentiality matches the key size. We present a linear correlation in the keystream of full MORUS, which can be used to distinguish its output from random and to recover some plaintext bits in the broadcast setting. • Friday, 15th of June 2018 at 12:45 No DiS Lunch (Croatia Summer school week) • Friday, 1st of June 2018 at 12:45 TLBleed: a novel side channel attack that bypass the CPU cache by Ben Gras We present TLBleed, a novel side-channel attack that leaks information out of Translation Lookaside Buffers (TLBs). TLBleed shows a reliable side channel without relying on the CPU data or instruction caches. This therefore bypasses several proposed CPU cache side-channel protections. Our TLBleed exploit successfully leaks a 256-bit EdDSA key from libgcrypt (used in e.g. GPG) with a 98% success rate after just a single observation of signing operation on a co-resident hyperthread and just 17 seconds of analysis time. We use novel machine learning techniques to achieve this level of performance. • Friday, 25th of May 2018 at 12:45 No DiS Lunch (No Speakers) • Friday, 18th of May 2018 at 12:45 How to construct hardware multipliers by Pedro Maat Costa Massolino In this talk, I will introduce how hardware multipliers are designed. Then, I will compare on how this is related to a special case: FPGAs. The talk is very high level, therefore a lot of details will not be mentioned or even talk about. • Friday, 20th of April 2018 at 12:40 Practical UC-Secure Delegatable Credentials with Attributes by Manu Drijvers Certification of keys and attributes is in practice typically realized by a hierarchy of issuers. Revealing the full chain of issuers for certificate verification, however, can be a privacy issue since it can leak sensitive information about the issuer's organizational structure or about the certificate owner. Delegatable anonymous credentials solve this problem and allow one to hide the full delegation (issuance) chain, providing privacy during both delegation and presentation of certificates. However, the existing delegatable credentials schemes are not efficient enough for practical use. In this paper, we present the first hierarchical (or delegatable) anonymous credential system that is practical. To this end, we provide a surprisingly simple ideal functionality for delegatable credentials and present a generic construction that we prove secure in the UC model. We then give a concrete instantiation using a recent pairing-based signature scheme by Groth and describe a number of optimizations and efficiency improvements that can be made when implementing our concrete scheme. • Tuesday, 13th of February 2018 at 12:40 Sovrin: Governing the world’s first self-sovereign identity (SSI) network by Jason Law (Sovrin Foundation Trustee, CTO & co-founder, Evernym) Sovrin is a global public utility purpose-built for self-sovereign identity. I'll discuss the principles behind self-sovereign identity and why it's important. I'll talk through some of the past and current challenges and opportunities the contributors faced while designing and implementing the Sovrin network. I'll touch on scaling, privacy, credentials, security, on and off-ledger interactions, distributed key management, the consensus protocol, governance, and interoperability. I'll also talk a bit about cryptographic choices and challenges. • Friday, 9th of February 2018 at 12:40 Mixing Layers in Symmetric Crypto by Ko Stoffelen Mixing layers are responsible for diffusion in (symmetric) cryptographic primitives and are thus essential to withstand known attacks. In this talk I will explain why MixColumns in AES does what it does, and I will cover some of the research that has been done to construct more efficient mixing layers. I will also highlight column parity mixers as an alternative to MDS matrices and I will show how they can be used to design a cryptographic permutation. • Friday, 19th of January 2018 at 12:40 Private law cyber security obligations in the Digital Single Market by Pieter Wolters Cyber security is an important pillar of the digital single market strategy of the European Union. Cyber threats undermine the confidence of consumers. This lack of trust prevents them from fully utilizing the possibilities of the online market. To foster the required confidence, the strategy is aimed at creating a level playing field with a high level of cyber security and consumer and personal data protection. A high level of security can only be reached when private parties are also stimulated to ensure cyber security. However, the actors on the digital market are not sufficiently incentivized as long as no legal security obligations towards the consumers exist. For this reason, the (implementation of) existing and proposed law of the European Union imposes several private law cyber security duties. Still, gaps continue to exist. The security of the digital market depends on many different actors. Even under the proposed rules, not all of these parties have a legal obligation to ensure the cyber security of their service or product. In this paper, I answer the following research question: To what extent does the ‘Digital Single Market’ impose consistent private law cyber security obligations on the providers of goods and services? I show that the duty to ensure cyber security depends on criteria that are, to some extent, arbitrary. Although the existing and proposed Directives and Regulations create a significant degree of harmonization, their approach remains piecemeal. They do not cover all relevant actors and activities. Furthermore, there are important differences between the existing duties to ensure cyber security. These gaps and differences encourage strategic behaviour by the actors on the digital market. They allow them to avoid the legal duties. • Friday, 12th of January 2018 at 12:40 Data protection and civil liability by Tim Walree This is a contribution to the panel discussion at CPDP conference that will focus on the issues around the notion of private law liability (injunctions and/or compensation) with regard to data protection violations. If data subjects start a procedure, they will in principle bear the burden of proof that harm is caused, raising the question of what constitutes a data protection harm, as tort law requires a concrete (material or immaterial) harm. Furthermore, a violation of data protection law, and causality between such violation and the harm, must be established. This may be burdensome, given that (adverse) effects for data subjects are difficult to assess. • Friday, 15th of December 2017 at 12:40 qDSA: Curve25519-based signatures by Joost Renes In elliptic-curve cryptography there is a classical difference between instantiations of protocols used for key exchange (Diffie-Hellman) and authentication (Schnorr-style signatures). Whereas for the first we can rely on x-only arithmetic (eg. Curve25519), the latter requires a full group structure (eg. Ed25519). In this talk I present analogs of the group-based identification and signature schemes for the x-line of elliptic curves, which allows for very small and simple implementations without too much loss of efficiency. It also applies more generally to a Kummer variety of any hyperelliptic curve. This work was presented at Asiacrypt'17. • Friday, 1st of December 2017 at 12:40 Full-State Keyed Duplex With Built-In Multi-User Support by Bart Mennink The keyed duplex construction was introduced by Bertoni et al. (SAC 2011) and recently generalized to full-state absorption by Mennink et al. (ASIACRYPT 2015). We present a generalization of the full-state keyed duplex that natively supports multiple instances by design, and perform a security analysis that improves over that of Mennink et al. in terms of a more modular security analysis and a stronger and more adaptive security bound. Via the introduction of an additional parameter to the analysis, our bound demonstrates a significant security improvement in case of nonce-respecting adversaries. Furthermore, by supporting multiple instances by design, instead of adapting the security model to it, we manage to derive a security bound that is largely independent of the number of instances. • Friday, 24th of November 2017 at 12:40 Cyber Security IP Framework by Maarten Bodlaender Prime Dutch cyber security results often do little for the Dutch economy, instead they mainly benefit the dominant American ICT industry players. This limits research budgets. This presentation contains a proposal to address this through a public-private collaboration between Philips and cyber security research institutes. • Friday, 17th of November 2017 at 12:40 Complexity Vulnerability Analysis using Directed Fuzzing and Dynamic Symbolic Execution by Rody Kersten If the worst-case time/space complexity of an algorithm is significantly higher than the respective average case, the algorithm may be vulnerable to a Denial-of-Service attack. In this talk, novel ideas are discussed to detect such security vulnerabilities using a combination of grey-box fuzzing and dynamic symbolic execution. I will present the tool Kelinci, which is an interface to run the popular grey-box fuzzer AFL on Java programs. Kelinci has identified bugs in Apache Commons Imaging and JDK versions 6-9. An extended version, KelinciWCA, adds a Worst-Case Analysis by collecting resource usage information and directing the fuzzer towards more costly program behaviors. It can achieve significant slow-downs on classic algorithms, quickly identify hash collisions and find regular expressions leading to exponential matching time. Finally, I will discuss how this powerful approach can be further improved by bringing in dynamic symbolic execution to alleviate fuzzing's biggest weakness. • Friday, 3rd of November 2017 at 12:40 Faster & Simpler DCA by Albert Spruyt & Ruben Muijrers (Riscure) White box cryptography aims to perform cryptography in software, and to do it in such a way that an attacker with full control over the system cannot recover the used key. A number of attacks from the hardware world have been shown to be effective on white box cryptography. In particular DFA and DPA. These attacks work very much the same as their hardware counterparts with a few notable differences. The computations for DPA in this case are not based on power measurements but on values and addresses in the memory or registers of the target during the execution of the crypto operation. A notable problem is the amount of data to work with in these scenarios (up to a few gigabyte per encryption). This talk will discuss how to deal effectively with these amounts of data. We will present three ways in which the performance of DPA attacks on whiteboxes can increased by several orders of magnitude. We will describe a fast solution to removing duplicate samples, a solution to choosing the correct samples to perform the attack and a novel method for visualizing white box executions. This novel visualization method can also be used to enhance DFA attacks and provides useful control flow information which aids in reverse engineering. • Friday, 27th of October 2017 at 12:40 Reverse Bayesian poisoning: How to use spam filters to manipulate online elections by Hugo Jonker E-voting literature has long recognised the threat of denial-of-service attacks: as attacks that (partially) disrupt the services needed to run the voting system. Such attacks violate availability. Thankfully, they are typically easily detected. We identify and investigate a denial-of-service attack on a voter’s spam filters, which is not so easily detected: reverse Bayesian poisoning, an attack that lets the attacker silently suppress mails from the voting system. Reverse Bayesian poisoning can disenfranchise voters in voting systems which rely on emails for essential communication (such as voter invitation or credential distribution). The attacker stealthily trains the voter’s spam filter by sending spam mails crafted to include keywords from genuine mails from the voting system. To test the potential effect of reverse Bayesian poisoning, we took keywords from the Helios voting system’s email templates and poisoned the Bogofilter spam filter using these keywords. Then we tested how genuine Helios mails are classified. Our experiments show that reverse Bayesian poisoning can easily suppress genuine emails from the Helios voting system. • Friday, 20th of October 2017 at 12:40 Subjective Logic by Boris Skoric Fuzzy Logic is a valuable tool for performing logical computations on truth values that lie between True ans False. However, Fuzzy Logic lacks expressivity. It is not able to distinguish between fuzziness that originates from lack of data and fuzziness that originates from contradictory data. Subjective Logic has an additional dimension: uncertainty due to lack of data. An algebra has been developed for "opinions" in this logic, as well as rules for combining opinions and forming chains of opinions. The original rule for chaining opinions was defective. In this talk we explain the problem and how it was resolved. We have introduced a new chaining rule which simply puts a weight on pieces of evidence. We show how the new algebra enables opinion computations for arbitrary trust networks. (http://arxiv.org/abs/1402.3319) • Friday, 13th of October 2017 at 12:40 Lightning talks by Paulus Meessen and Alexandru Serban In this lunch talk, our new PhD students, Paulus and Alexandru will talk about their previous and current research for about 5 minutes each. • Friday, 29th of September 2017 at 12:40 Side-channel based intrusion detection for industrial control systems by Pol van Aubel Industrial Control Systems are under increased scrutiny. Their security is historically sub-par, and although measures are being taken by the manufacturers to remedy this, the large installed base of legacy systems cannot easily be updated with state-of-the-art security measures. We propose a system that uses electromagnetic side-channel measurements to detect behavioural changes of the software running on industrial control systems. To demonstrate the feasibility of this method, we show it is possible to profile and distinguish between even small changes in programs on Siemens S7-317 PLCs, using methods from cryptographic side-channel analysis. In this short talk, I will present the main points of our paper on a non-technical level, in preparation of presenting it at CRITIS2017 in Lucca. If desired, I can then discuss implementation, technical details, and other questions you may have. • Friday, 15th of September 2017 at 12:40 Gimli: a cross-platform permutation by Benoît Viguier This paper presents Gimli, a 384-bit permutation designed to achieve high security with high performance across a broad range of platforms, including 64-bit Intel/AMD server CPUs, 64-bit and 32-bit ARM smartphone CPUs, 32-bit ARM microcontrollers, 8-bit AVR microcontrollers, FPGAs, ASICs without side-channel protection, and ASICs with side-channel protection. • Friday, 14th of July 2017 at 12:40 Evolution of DDoS attacks by Jair Santanna In tomorrow's lunch colloquium, Jair Santanna, a Ph.D. candidate at University of Twente, will talk about how DDoS attacks evolved over the last half decade. Jair will focus his presentation on revealing findings of public Websites that offer DDoS attacks as a paid service, called booters and stressers. Large network security companies (e.g., Akamai and Incapsula) have pointed these websites as the primary reason for the increase of attacks (both in occurrences and in power). Jair will talk about what he has observed over four years of research in this field and discuss future directions to address the problem. • Friday, 7th of July 2017 at 12:40 No DiS Lunch (No Speakers) • Friday, 30th of June 2017 at 12:40 Should the IoT fear Side-Channel Attacks? A Case Study of a Differential Electromagnetic Attack against Thread by Daniel Dinu, University of Luxembourg The distinguishing feature of the Internet of Things is that many devices get interconnected. The threat of side-channel attacks in this setting is less understood than the threat of traditional network and software exploitation attacks that are perceived to be more powerful. A particular question for a designer of IoT devices and protocols is whether network layer security mechanisms should feature protections against side-channel analysis, such as Differential Power or Electromagnetic Attacks. With this question in mind, we perform a multidisciplinary case study of Thread, an emerging network and transport level stack designed to facilitate secure communication between heterogeneous IoT devices. We perform the first side-channel vulnerability analysis of the Thread networking stack. We leverage various network mechanisms to trigger manipulations of the security material or to get access to the network credentials. We choose the best attack vector we identified to build a complete attack that combines network specific mechanisms and Differential Electromagnetic Analysis. When successfully applied on a Thread network, the attack gives full network access to the adversary. We evaluate the feasibility of our attack using a network of nodes running OpenThread, an open-source implementation of the stack. Then, we suggest a range of countermeasures to prevent our attack and the other attack vectors we identified during the vulnerability analysis. Our experience shows that resistance to side-channel attacks should be carefully considered in designing and implementing protocols for the IoT. • Friday, 23rd of June 2017 at 12:40 Open-source tooling for differential power analysis by Ilya Kizhvatov Differential power analysis attacks have been around in open research for almost twenty years. The field is nowadays rich in methods and techniques, but not in state-of-the-art tools. In view of a very experimental nature of side channel attacks, this is somewhat suprising. I would like to discuss this issue and present an experimental high performance open-source toolkit for DPA written in Julia. • Friday, 16th of June 2017 at 12:40 Passports as encryption smartcards: why traveling abroad with your passport might be illegal by Eric Verheul It is well known that a holder of a passport can use the Active Authentication protocol to sign messages. This usage is known as Remote Document Authentication (RDA). That is, one can effectively use an e-passport as a PKI smartcard to authenticate its holder to an external party. In this talk I will explain how a passport can also cater for encryption by (ab)use of the Chip Authentication protocol. With Remote Document Encryption (RDE) any external party can extract a public key from an e-passport bound to the user identity, allowing data encryption that can only be decrypted by the holder using it e-passport. We can also introduce the notion of an RDE Extraction PIN bound to the passport, effectively providing the same security as a regular PIN. To use RDE the user needs an RFID card reader connected to its computer or an NFC enabled mobile device. The latter is no longer limited to Android based devices as Apple recently announced opening its NFC interface. See https://gototags.com/blog/apple-ios-11-supports-reading-nfc-tags-iphone-7-iphone-8-core-nfc/. Possible RDE applications include secure email, compartmentalization of personal data within portals, secure data storage on NFC devices and cloud encryption. The results also apply to (Dutch) identity cards and electronic driver licences. RDE ironically suggests that carrying a passport when traveling abroad might violate export or import laws on strong cryptography. Details on: https://arxiv.org/abs/1704.05647 • Friday, 9th of June 2017 at 12:40 No DiS Lunch (Croatia Summer school week) • Friday, 2nd of June 2017 at 12:40 Open Maths in Computer Science by Gergely Alpar Research stems from education. Computer science and mathematics are constantly interacting, one needs the other. What do we want from students in terms of skills and knowledge when they arrive to the university and when they leave? When I was involved in teaching maths-related courses at our department such as Security, Cryptography, Calculus and Probability, I was startled. Encountering mathematics, students were happy and successful at following cookbook-like recipes. However, just a very tiny minority of them was able to do something sensible with unexpected problems. Later I figured out the reason: mathematics for students is computation rather than thinking. Making interviews with students and PhD applicants, studying state-of-the-art didactics of mathematics and talking with experts, I see that mathematics education is at the brink of a big change. In this talk I will discuss some of my exciting experiences from my last one year and a half in this field. • Friday, 19th of May 2017 at 12:40 HOW TO ROB A BANK (IN 40 MINUTES) by Stan Hegt During lunch, we are going to digitally rob a bank. Not for profit, but as a friendly match against the security team of this bank. We believe that only perfect practice makes perfect: by simulating an attack as realistically as possible, an organisation is optimally prepared for real incidents. Expect a very practical presentation with demos of modern hacker techniques combined with lessons learned from security teams in defending against targeted attacks. • Friday, 12th of May 2017 at 12:40 Cake theory tidbits by Pedro Maat Costa Massolino "Why did you bring a cake? Is it your birthday today?". "No, I just like to bake". In this talk, I will open up about my hobby of baking cakes. I will share lots of cake pictures and talk about the process of baking, reading recipes, making some small changes and other tips. • Friday, 21st of April 2017 at 12:40 No DiS Lunch (IRMA meeting in Utrecht) • Friday, 14th of April 2017 at 12:40 No DiS Lunch (Easter holiday) • Friday, 7th of April 2017 at 12:40 Secure and Efficient RNS software implementation for Elliptic Curve Cryptography by Louiza Papachristodoulou Elliptic Curve Cryptography operations rely heavily on the strong security of scalar multiplication. However, this operation is vulnerable to side channel (SCA) and fault injection (FA) attacks. The use of alternative arithmetic systems like Residue Number System (RNS) for all scalar multiplication underline operations has been proposed as an efficient countermeasure approach for the above mentioned attacks. In RNS, a number is represented as a set of smaller numbers, where each one is the result of the modular reduction with a given moduli basis. Under certain requirements, a number can be uniquely transformed from the integers to the RNS domain (and vice versa) and all arithmetic operations can be performed in RNS. This representation provides an inherent SCA and FA resistance to many attacks and can be further enhanced by additional RNS arithmetic manipulations or more traditional algorithmic countermeasures. In this presentation, I am going to present a secure RNS based Montgomery Power Ladder based scalar multiplication algorithm, which is implemented on an ARM Cortex A7 processor (Raspberry Pi 2B). The SCA-FA resistance of the implementation is evaluated by collecting preliminary leakage trace results that validate our initial assumptions. This is a joint work with Apostolos Fournaris and Nicolas Sklavos during my research visit in the university of Patras and is going to be presented in SEMS 2017 in Paris. • Friday, 31st of March 2017 at 12:40 SEGRID - Security for Smart Electricity GRIDs by Frank Fransen (TNO) SEGRID is a collaboration project, funded by the EU under the FP7 program. SEGRID partners are DSO’s Manufacturers, knowledge institutions and universities. SEGRID’s main objective is to enhance the protection of smart grids against cyber-attacks. In this presentation an overview will be given on the storyline, use cases and research activities in SEGRID, including risk analysis and management, development of security vulnerability assessment, discovery and diagnosis tools, novel security solutions such as resilient SCADA systems, SDN based resilient communication infrastructure, robustness and scalable D(T)LS-based communication, and privacy by design. For more information, see https://segrid.eu/ . • Friday, 24th of March 2017 at 12:40 No DiS Lunch (Crypto Working Group meeting & OU symposium) • Friday, 17th of March 2017 at 12:40 Covering codes vs LPN by Simona Samardjiska The Learning Parity with Noise (LPN) problem is a fundamental problem from learning theory, that in recent years has attracted the attention of the cryptographic community, as a hardness assumption underlying several new cryptographic primitives. Tightly connected to the problem of decoding random linear codes, it is believed to be resistant to quantum attacks, and thus is very interesting for designing post-quantum secure cryptosystems. There are various approaches for solving the LPN problem, and the most interesting are variants of the BKW algorithm, that employs a reduce and solve techniques. Recently, at ASIACRYPT '14, Guo et al. introduced a novel reduction technique relying on the covering properties of linear binary codes. While the technique is very powerful, the question of constructing codes with good covering properties and efficient decoding remained open. Several subsequent papers address this question, and currently the best know results, reported by Bogos & Vaudenay, are achieved using direct sums of small codes. In this work, we propose a family of codes equipped with an efficient decoding algorithm, that can be used in the reduction technique by Guo et al. The proposed codes are much closer to random codes than previous solutions, which intuitively implies better covering properties. As a consequence, our algorithm, unlike previous proposals, is better suited for larger LPN instances and outputs sub-optimal solutions, as a trade-off to efficiency. The initial results, both theoretical and experimental, show improvements compared to the best known results for all LPN instances with secret length at least 532. • Friday, 10th of March 2017 at 12:40 Innovations in permutation-based encryption and/or authentication by Joan Daemen Imagine there's no block ciphers, it's easy if you try:-) The SHA-3 competition has revealed that a fixed-length permutation is an excellent building block for hashing by means of the sponge. By including a key in the input this can readily be used for message authentication (MAC) and by exploiting the arbitrarily long sponge output for stream encryption. The duplex variant of sponge widens the spectrum to, among other, authenticated encryption and reseedable pseudorandom generation. Up to a few years ago, it was widely believed that, for the same level of security, block-cipher-based modes would be more efficient than permutation-based modes. This picture has recently changed thanks to new strong generic security bounds for a keyed duplex variant that allows full-state absorbing. However, the sponge/duplex modes have the disadvantage that they are inherently serial and exploiting parallelism requires building an additional mode layer on top. We address this concern with Farfalle, a new construction that is a parallel keyed sponge variant. Its structure strongly relaxes the cryptographic requirements for the underlying permutation in comparison with keyed sponge or Even-Mansour and hence it has great potential for high-speed crypto. Farfalle builds a pseudorandom function (PRF) with arbitrary-length input and output that can readily be used for stream encryption and MAC. We realize session-based authenticated encryption, synthentic IV authentication encryption and a wide block cipher by the application of some amazingly simple PRF-based modes. In the talk, I will give an overview of these recent innovations in permutation-based crypto. • Friday, 24th of February 2017 at 12:40 Security at Innopolis University by Engelbert Hubbers In 2016 I was invited to teach a course on Cyber Security at Innopolis University, which is a university that was founded only a few years ago in Kazan in Russia. Because Russia happens to be one of my most favorite countries I accepted the offer to come work for them as a visiting lecturer. In the talk I'll discuss my experiences with this university, the students, the course and some logistics. • Friday, 17th of February 2017 at 12:40 DiS Lunch cancelled (Speaker could not make it.) • Friday, 10th of February 2017 at 12:40 From NewHope to Kyber by Peter Schwabe At USENIX Security 2016, Alkim, Ducas, Pöppelmann and Schwabe presented the "NewHope" Ring-LWE based key exchange protocol. The paper received some attention, if nothing else because USENIX and Facebook awarded the "Internet Defense Prize" for the paper and because Google used the algorithm in a post-quantum experiment for TLS. In my talk I will briefly review the NewHope protocol and then present Kyber, which can be seen as a successor to NewHope that improves communication complexity and security properties. • Friday, 3rd of February 2017 at 12:40 Professionalizing hardware-based memory acquisition techniques by Nico Heijningen The acquisition of volatile memory may be non-trivial during an incident response scenario. A worst case scenario may force an investigator into executing a cold boot attack. During this presentation I will discuss a (forensically sound) proof of concept acquisition method. Together with a justification for the choices that have led to its development. Finally, as only scrambled data is stored in the actual memory modules, I present my attempt at reverse engineering the memory scrambler included in Ivy Bridge generation Intel processors. • Friday, 27th of January 2017 at 12:40 PUFs, protection, privacy, PRNGs - an overview of physically unclonable functions by Pol van Aubel A physically unclonable function, or PUF, is some physical structure with properties that are easy to verify, hard to predict, and practically impossible to clone. Ideally, this means it's a device-unique unchanging identifier, which can be used for improving security. However, it can be at odds with privacy and anonymity. This talk will give you an overview of the thirty years of history behind PUFs, and will include the most recent advances in research. The functions, structure, and design will be discussed, as well as devices and materials that have properties to base PUFs on. • Friday, 13th of January 2017 at 12:40 Supersingular-isogeny-based cryptography by Joost Renes After having been proposed in 2014, there has been a lot of attention recently for cryptography based on hard problems related to isogeny graphs of supersingular elliptic curves. Many of the techniques used are related to the ones we rely on in elliptic-curve cryptography, but in general things become quite a bit more complex. This talk will focus on introducing the ideas behind supersingular-isogeny-based cryptography with only assuming very little background knowledge. It will be a very high-level approach, hoping to give you some intuition and spark your interest for the subject! • Friday, 6th of January 2017 at 12:40 Resource Analysis for Cybersecurity by Rody Kersten Software systems can be vulnerable to algorithmic complexity attacks if certain input causes them to consume excessive amounts of CPU time or space. If an adversary is able to efficiently construct such inputs, (s)he can potentially deny service to benevolent users. I will present an integrated symbolic execution approach for space-time analysis of Java programs, which can detect such algorithmic complexity based vulnerabilities. Our tool-set contains a pre-processing component that uses static analysis and visualization to help developers identify potentially vulnerable parts of the code for further analysis. A symbolic execution component implements Worst-Case Analysis to detect algorithmic complexity vulnerabilities, parametrized with respect to cost models for space-time consumption. The Java verification tool JayHorn, based on Constrained Horn Clauses, is used to check the inferred bounds. The effectiveness of our approach is demonstrated on a set of challenging use cases on which we identified many space-time vulnerabilities. • Friday, 16th of December 2016 at 12:40 No DiS Lunch (Crypto Working Group meeting) • Wednesday, 14th of December 2016 at 10:30 Mobile communication security by Fabian van den Broek • Tuesday, 13th of December 2016 at 16:00 Analysis of the Möbius Ring-Oscillator PUF by Prof. Dr. Jean-Pierre Seifert (Technische Universität Berlin) One of the most interesting strong PUF constructions is the Bistable-Ring PUF (BR PUF), which is derived from the Möbius Ring-Oscillator. This is due to the lack of a correct mathematical model describing its internal behavior. Despite the absence of a precise model we will show that the BR PUF can be strongly PAC learned. Towards this, we will use deep results from the field of Spectral Analysis of Boolean Functions (≈ modern Percolation Theory). We show that the surprising and very low Average-Sensitivity of a BR PUF is the crucial insight into its PAC learnability. Additionally, we will visualize our results through intensive practical experiments on real BR PUFs. Time permitting we aim to discuss a very recent insight on the existence of a single highly influential variable for every BR PUF. I.e., every BR PUF of length n has a single variable approximating the given BR PUF with a constant error bounded away from ½. • Friday, 9th of December 2016 at 12:40 Curve25519: Proving datatypes with a rooster by Benoît Viguier During his master thesis Timmy Weerwag proved that the operations in TweetNaCl were correct with respect to the elliptic curve specifications (Montgomery ladder...) However he did not provide any proof of the datatypes implementations (the basic operations: addition, multiplication etc). This work (_still in progress_) aims to show fill this gap. • Friday, 25th of November 2016 at 12:40 Software Instruction Duplication: a defense for fault injection attacks by Lucian Cojocar I will start with a short intro on power analysis and fault injection. Then I will introduce the single instruction skip attack model. My work is focused on compiler defenses for this attack model. I will try to give a brief overview on the state of the art defenses, both software and hardware. I will introduce instruction duplication as a defense. I will show some limitations of the software defenses and explain overhead of such defense. Finally, I will try to introduce a research question that I want to focus on in near future. • Friday, 18th of November 2016 at 12:40 From 5-pass MQ-based identification to MQ-based signatures by Joost Rijneveld This talk will describe MQDSS, a digital signature scheme based on the problem of solving a multivariate system of quadratic equations (i.e. the `MQ problem'). By discussing the Fiat-Shamir transform, an identification scheme and the MQ problem, we will see how the scheme is constructed. We then briefly look at MQDSS-31-64, a concrete instance of the scheme that provides post-quantum security. • Thursday, 17th of November 2016 at 11:30 Systematic Fuzzing and Testing of TLS Libraries by Juraj Somorovsky • Friday, 11th of November 2016 at 12:40 Smart Card Fault Injections with High Temperatures by Pedro Maat Costa Massolino Power and clock glitch attacks on smart cards can help an attacker to discover some internal secrets or bypass certain security checks. Also, an attacker can manipulate the temperature and supply voltage of the device, thus making the device glitch more easily. If these manipulations are within the device operating conditions, it becomes harder to distinguish between an extreme condition from an attacker. To demonstrate temperature and power supply effects on fault attacks, we perform several tests on an Atmega 163 microcontroller in different conditions. Our results show that these kinds of attacks are still a serious threat to small devices, whilst maintaining the manufacturer recommendations. • Friday, 4th of November 2016 at 12:40 Side-Channel Analysis on Keccak by Niels Samwel Keccak is a cryptographic primitive. Using Keccak in keyed mode data can be encrypted. During an encryption process information leaks through the power consumption of the device that performs the encryption. This leakage can sometimes be exploited using statistical analysis. Work has been done on an attack on a theoretical model that we tried to verify using an implementation on an FPGA. We also tried to create a more efficient attack to reduce the amount of traces that are required to successfully obtain the correct key. • Friday, 28th of October 2016 at 13:30 Assessing sustainability of software - analysing correctness, memory and energy consumption by Bernard van Gastel • Thursday, 27th of October 2016 at 16:00 Extending Liquid Types to Arrays by Ricardo Peña So this talk will probably be attractive to the theoretical, functional programming and correctness oriented people, as Liquid Types (in full Logically Qualified Data Types) are a system that combines Hindley-Milner type inference with predicate abstraction, in order to infer dependent type (for safety properties). • Friday, 21st of October 2016 at 12:40 Polymorphic Pseudonyms in Identity Federations by Hans Harmannij Identity federation is a way of authenticating to service providers that is being used by many people. For example by all students and staff of Dutch universities, when they use SURFconext. Since personal details are being exchanged between parties in such a system, privacy is an important factor that currently isn't always protected as well as it can be. Polymorphic pseudonyms can be used to address these problems. In this talk we'll explore how this works and what the advantages of polymorphic pseudonymization are. This talk is based on the master thesis Polymorphic Pseudonymization in Educational Identity Federations, for which I received the Joop Bautz Information Security Award. • Friday, 14th of October 2016 at 12:40 Vote to Link: Recovering from Misbehaving Anonymous Users by Wouter Lueks Service providers are often reluctant to support anonymous access, because this makes it hard to deal with misbehaving users. Anonymous blacklisting and reputation systems can help prevent misbehaving users from causing more damage. However, by the time the user is blocked or has lost reputation, most of the damage has already been done. To help the service provider to recover from abuse by malicious anonymous users, I'll present the vote-to-link system. In the vote-to-link system, moderators (rather than a single trusted third party) can cast votes on a user's action if they deem it to be bad. After enough moderators have voted on the action, the service provider can use these votes to link all the actions by the same user within a limited time frame and thus recover from these actions. All the user's actions in other time frames, however, remain unlinkable. To protect the voting moderators from retaliation, we also propose a (less efficient) variant that allows moderators to vote anonymously. We implemented and evaluated both variants to show that they are practical. In particular, we believe this system is suitable to combat malicious Wikipedia editing. • Friday, 7th of October 2016 at 12:40 Free and Open-Source Software (FOSS) (Licensing): A Crash Course for Computer Scientists by Felix Stegerman Millions of people make use of free and open-source software. The infrastructure of the internet relies on it, as do the servers of large and small organisations. Without FOSS, the internet as we know it would not exist. In this talk Felix Stegerman, Deputy Coordinator Netherlands of the Free Software Foundation Europe and bachelor student CS, will give a quick overview of the history and definition of FOSS and its relation to fundamental freedoms, vendor dependence, privacy and autonomy. He will discuss its relevance to individuals, the public sector, academia, and businesses; including how using Free Software in a commercial context relates to business models. Felix will point to the differences between the traditional "copyleft" and modern popular free software licenses and will underline their advantages and disadvantages in a number of use cases. • Friday, 16th of September 2016 at 12:40 The PEP project: Polymorphic Encryption and Pseudonymisation by Bart Jacobs in healthcare. This talk gives an introduction to the "PEP" project that recently received 750K funding from the province of Gelderland to develop a security infrastructure for personalised healthcare. Background can be found in the whitepaper (which is already slightly outdated): http://eprint.iacr.org/2016/411 • Friday, 9th of September 2016 at 12:40 Simulation based security proofs by Manu Drijvers Cryptographic protocols need rigorous security proofs, to ensure that a certain notion of security is achieved. Often, security is defined by a set of security games. An alternative way to define security is by an ideal functionality, this is called the simulation security paradigm. In this talk, I will give a short introduction into simulation based security and show some advantages over game-based security definitions. • Friday, 8th of July 2016 at 12:40 FP-Block: usable web privacy by controlling browser fingerprinting by Hugo Jonker Online tracking of users is used for benign goals, such as detecting fraudulous logins, but also to invade user privacy. We posit that for non-oppressed users, tracking within one website does not have a substantial negative impact on privacy, while it enables legitimate benefits. In contrast, cross-domain tracking negatively impacts user privacy, while being of little benefit to the user. Existing methods to counter tracking treat any and all tracking similar: client-side storage is blocked, or all sites are fed random characteristics to hamper re-identification. We develop a tool, FP-Block, that counters cross-domain tracking, while allowing intra-domain tracking. For each visited site, FP-Block generates a unique, consistent fingerprint: a "web identity". This web identity is then used for any interaction with that site, including for third-party embedded content. This ensures that ubiquitously embedded parties will see different, unrelatable fingerprints from different sites, and can thus no longer track the user across the web. • Friday, 1st of July 2016 at 12:40 Location-based side channel attacks by Kostas Papagiannopoulos In this talk we discuss a class of unconventional side-channel analysis, namely location-based attacks. We demonstrate the applicability of those attacks in ARM Cortex M4 processors and discuss possible attack modeling options via information theory. • Friday, 24th of June 2016 at 12:40 No DiS Lunch (PI Lab quarterly meeting) • Friday, 17th of June 2016 at 12:40 Formal methods in differential and linear trail search by Benoît Viguier In order to assess the security of cryptographic permutations and block ciphers, a lower bound on the weight of differential and linear) trails is desirable. For some primitives this requires an algorithm scanning the space of trails up to some bound. This algorithm involves multiple and complex iterators. My work was to provide a formal approach to verify the program soundness with respect to the bound expectations. In order to achieve that goal, two different approaches have been tested and are presented. This led to the construction of an abstract iterator. The correctness of this iterator relies on the soundness of the tree definition. • Friday, 10th of June 2016 at 12:40 No DiS Lunch (Croatia summer school week, Glasgow conference) • Friday, 3rd of June 2016 at 12:40 Protocol State Fuzzing of TLS Implementations by Joeri de Ruiter We describe a largely automated and systematic analysis of TLS implementations by what we call ‘protocol state fuzzing’: we use state machine learning to infer state machines from protocol implementations, using only blackbox testing, and then inspect the inferred state machines to look for spurious behaviour which might be an indication of flaws in the program logic. For detecting the presence of spurious behaviour the approach is almost fully automatic: we automatically obtain state machines and any spurious behaviour is then trivial to see. Detecting whether the spurious behaviour introduces exploitable security weaknesses does require manual investigation. Still, we take the point of view that any spurious functionality in a security protocol implementation is dangerous and should be removed. We analysed both server- and client-side implementations with a test harness that supports several key exchange algorithms and the option of client certificate authentication. We show that this approach can catch an interesting class of implementation flaws that is apparently common in security protocol implementations: in three of the TLS implementations analysed new security flaws were found (in GnuTLS, the Java Secure Socket Extension, and OpenSSL). This shows that protocol state fuzzing is a useful technique to systematically analyse security protocol implementations. As our analysis of different TLS implementations resulted in different and unique state machines for each one, the technique can also be used for fingerprinting TLS implementations. • Friday, 27th of May 2016 at 12:40 No DiS Lunch (CWG meeting in Utrecht) • Friday, 20th of May 2016 at 12:40 Security analysis of a railway system by Joeri de Ruiter The European Railway Traffic Management System (ERTMS) is a European standard for next-generation train management and signalling. It is intended to make it easier for trains to cross borders and optimise the running of the railway. In this talk I will introduce the system and present the security analysis we performed at the University of Birmingham. Using ProVerif, we analysed the authentication protocol used in the communication between the train and back-end. Furthermore we analysed the MAC algorithm used for this communication channel and discovered there is a possibility to forge messages, such that the corresponding MAC is the same as for a previously observed (valid) message. • Friday, 13th of May 2016 at 12:40 New Directions in IoT Privacy Using Attribute-Based Authentication by Anna Krasnova The Internet of Things (IoT) is a ubiquitous system that incorporates not only the current Internet of computers, but also smart objects and sensors. IoT technologies often rely on centralised architectures that follow the current business models. This makes efficient data collection and processing possible, which can be beneficial from a business perspective, but has many ramifications for users privacy. As communication within the IoT happens among many devices from various contexts, they need to authenticate each other to know that they talk to the intended party. Authentication, typically including identification, is the proof of identity information. However, transactions linked to the same identifier are traceable, and ultimately make people also traceable, hence their privacy is threatened. We propose a framework to counter this problem. We argue, that by applying attribute-based (AB) authentication in the context of IoT one empowers users to maintain control over disclosure of data by owned devices. At the same time AB authentication allows us achieve data minimisation and unlinkability between users transactions. Altogether this enables an important improvement of privacy in the IoT. • Friday, 6th of May 2016 at 12:40 No DiS Lunch (May Break) • Friday, 29th of April 2016 at 12:40 Complete Addition Formulas for Prime Order Elliptic Curves by Joost Renes An elliptic curve addition law is said to be complete if it correctly computes the sum of any two points in the elliptic curve group. One of the main reasons for the increased popularity of Edwards curves in the ECC community is that they can allow a complete group law that is also relatively efficient (e.g., when compared to all known addition laws on Edwards curves). Such complete addition formulas can simplify the task of an ECC implementer and, at the same time, can greatly reduce the potential vulnerabilities of a cryptosystem. Unfortunately, until now, complete addition laws that are relatively efficient have only been proposed on curves of composite order and have thus been incompatible with all of the currently standardized prime order curves. I present optimized addition formulas that are complete on every prime order short Weierstrass curve defined over a field k with char(k) not 2 or 3. Compared to their incomplete counterparts, these formulas require a larger number of field additions, but interestingly require fewer field multiplications. • Friday, 22nd of April 2016 at 12:40 Recent developments in IRMA by Wouter Lueks As most of you know, we have been working on the IRMA project for a couple of years now. While initially the focus was to provide attribute based authentication using smart cards, we have since shifted to a more phone oriented approach. This dramatically improves usability, but also causes new and interesting challenges. In this lunch talk I will briefly introduce IRMA, show some demos explaining the current setup, and discuss with you some of the new challenges we face. • Friday, 15th of April 2016 at 12:40 No DiS Lunch (IRMA meeting at Utrecht) • Friday, 8th of April 2016 at 12:40 White-box cryptography by Wil Michiels (NXP) White-box cryptography is the discipline of implementing a cryptographic algorithm is software, such that it is hard for an attacker to extract the key. The attacker is thereby assumed to have full access to and full control over the execution environment. A few years ago, white-box crypto was mainly used for DRM. However, since Host Card Emulation (HCE) has been introduced in Android, it is also increasingly used for payment. In this presentation, we discuss what white-box crypto is, how it is typically done, and what the state-of-the-art is in attacking these implementations. • Friday, 1st of April 2016 at 12:40 Quantum teleportation, diagrams, and the one-time pad by Aleks Kissinger In this talk, Aleks will give a brief intro to the "diagrammatic approach" to quantum theory, whereby one uses diagrams of quantum states, and processes acting on those states, to study some of the more surprising features of the physical world. Along the way, he will introduce quantum teleportation, prove that it works, and show that the key "trick" is the same as one-time pad crypto, where we simply substitute some types. • Friday, 25th of March 2016 at 12:40 No DiS Lunch (Good Friday) • Friday, 18th of March 2016 at 12:40 by No speakers • Friday, 11th of March 2016 at 12:40 IMSI catchers by Fabian van den Broek • Friday, 4th of March 2016 at 12:40 Efficient Masking for Tweakable Blockciphers by Bart Mennink, KU Leuven, Belgium Tweakable blockciphers have faced an immense increase in popularity lately, in part due to their use in authenticated encryption schemes. A well-established approach to tweakable blockcipher design is via masking, where a certain primitive (a blockcipher or a permutation) is preceded and followed by an easy-to-compute tweak-dependent mask. In this talk, we investigate the use of tweakable blockciphers in authenticated encryption and revisit the principle of masking. Using recent advancements in the computation of discrete logarithms, we develop a highly efficient, constant time masking technique. The new masking allows for authenticated encryption in about 0.55 cycles per byte, significantly outperforming its closest competitors. • Friday, 26th of February 2016 at 12:40 Evolutionary Computation in Cryptology by Stjepan Picek In this talk we discuss how to use evolutionary computation (EC) in cryptology. We start with a short introduction on EC and then briefly elaborate on similarities and differences between EC and machine learning methods. Since cryptology includes a plethora of difficult and non-deterministic problems it is obvious that evolutionary computation can be employed there. In fact, EC methods have been successfully used in cryptology for more than 20 years. In accordance with that, we present a number of EC applications in crypto area and possible research directions. • Friday, 5th of February 2016 at 12:40 ARMed SPHINCS - Computing a 41 KB signature in 16 KB of RAM by Joost Rijneveld This talk will show that it is feasible to implement the stateless hash-based signature scheme SPHINCS-256 on an embedded microprocessor with memory even smaller than a signature and limited computing power. We demonstrate that it is possible to generate and verify the 41KB signature on an ARM Cortex M3 that only has 16KB of memory available, and compare it to the stateful alternative by implementing XMSS^MT on the same platform. This talk partially overlaps with the talk I gave when presenting my Master's thesis, but also contains additions from the work we did afterwards. • Friday, 29th of January 2016 at 12:40 Privacy and the P&I course by Gergely Alpár Privacy is a hot topic. Not only because privacy-enhancing technologies (PETs) are exciting, but also because the world is constantly transforming now. This lunch colloquium attempts to put PETs in a bit broader context. It provides a brief overview about privacy and how technologies affect it. To make the discussion even more interesting, I will show surprising demonstrations and share with you some of my experiences about the new Privacy and Identity course finished just now. • Friday, 22nd of January 2016 at 12:40 A Critical Analysis of Privacy Design Strategies by Michael Colesky The upcoming General Data Protection Regulation is quickly becoming of great concern to organisations processing personal data of European citizens. To translate these legal requirements into privacy friendly designs for systems that process personal data is however a nontrivial task. One recently proposed approach to make privacy by design more concrete in practice is privacy design strategies. This paper uses the findings of an extensive literature review, in particular a catalogue of surveyed privacy patterns, to improve strategy definitions and introduce an additional level of abstraction between strategies and patterns: ‘tactics’. It formally defines these tactics, and explores the relationships between concepts which help bridge the gap between legal requirements and system development. • Friday, 15th of January 2016 at 12:40 A refinement of the Mifare parity sum attack. by Ronny Wichers Schreur Last year Carlo Meijer and Roel Verdult published a new attack "Ciphertext-only Cryptanalysis on Hardened Mifare Classic Cards". This card-only attack works on recent Mifare cards that implement an improved random number generator. Ronny will present a refinement of the attack that needs fewer traces and less search time. • Friday, 8th of January 2016 at 12:40 Optimizing S-box Implementations for Several Criteria using SAT Solvers by Ko Stoffelen How can you provably minimize your implementation? In this work, we explore the feasibility of applying SAT solvers to optimizing implementations of small functions such as S-boxes for multiple optimization criteria, e.g., the number of nonlinear gates and the number of gates. We provide optimized implementations for the S-boxes used by several candidates in the CAESAR competition. We then suggest a new method to optimize for circuit depth and we made (or we are about to make) tooling publicly available to find efficient implementations for several criteria. Furthermore, we illustrate with the 5-bit S-box of PRIMATEs how multiple optimization criteria can be combined. • Friday, 18th of December 2015 at 12:40 A new hope on ARM Cortex-M by Erdem Alkim Recently, we proposed a Ring-LWE-based key-exchange protocol called "Newhope" and illustrated that this protocol is very efficient on large Intel processors. Our paper also claims that the parameter choices enable efficient implementations on small embedded processors. In this follow up work, we show that these claims are actually correct and present Newhope software for the ARM Cortex-M family of 32-bit microcontrollers. More specifically, our software targets the low-end Cortex-M0 and the high-end Cortex-M4 processor from this family. Our software starts from the C reference implementation and then carefully optimizes subroutines in assembly. As a result, the server side of the key exchange executes in only 1594889 cycles on the M0 and only 1626589 cycles on the M4; the client side executes in 1840024 cycles on the M0 and 1791200 cycles on the M4. • Friday, 11th of December 2015 at 12:30 No DS Lunch (PI.lab annual conference) • Friday, 4th of December 2015 at 12:40 Simulating power consumption for side channel analysis by Nikita Veshchikov This talk about the use of simulators in case of side channel attacks. We will argue that the field of side channel analysis needs simulators. We will go through different types of simulators, theirs strengths and their weaknesses while trying to sketch the type of an attacker (or a researcher) that might have access to resources and knowledge needed in order to use such simulators. We will also talk about cases when a simulator might be more convenient than a real experiment as well as limitations or simulations compared to real life experiments. • Friday, 27th of November 2015 at 12:40 Slightly more practical quantum factoring through number theory by Benjamin Smith We use elementary results in number theory to investigate the number of trials needed by Shor's algorithm to factor an integer, with a view to minimising the amount of experimental physics work required. In particular, we show that one call to the quantum subroutine is enough to factor strong RSA keys. This implies the somewhat surprising result that while strong RSA moduli are considered the hardest case for classical factoring algorithms, they are in fact the easiest case for quantum factoring. This is a progress report on joint work with François Morain, Thomas Lawson, and Frédéric Grosshans. • Friday, 20th of November 2015 at 12:30 No DS Lunch (PI.lab quarterly meeting) • Friday, 13th of November 2015 at 12:40 Future Internet Security and Privacy (challenges) by Mauro Conti The Internet is an amazing success story, connecting hundreds of millions of users. However, in the last decade, there has been a growing realization that the current Internet Protocol is reaching the limits of its senescence. In fact, the way people access and utilize it has changed radically since the 1970-s when its architecture was conceived. This has prompted several research efforts that aim to design potential next-generation Internet architectures. In particular, Content-Centric Networking (CCN) is an emerging networking paradigm being considered as a possible replacement for the current IP-based host-centric Internet infrastructure. CCN focuses on content distribution, which is arguably not well served by IP. Named-Data Networking (NDN) is an example of CCN. NDN is also an active research project under the NSF Future Internet Architectures (FIA) program. FIA emphasizes security and privacy from the outset and by design. To be a viable Internet architecture, NDN must be resilient against current and emerging threats. In this talk, we discuss the main security and privacy issues we identified in NDN. • Friday, 6th of November 2015 at 12:40 A virtual bank experiment, and the quest for a securely usable online banking transaction authorisation method by Sven Kiljan This talk will consist of two parts. The first part is a report of an experiment that we recently conducted, while the second part focuses on a new potential research direction for which your input would be appreciated! About the first part (based on the abstract of our submitted paper): Security and usability improvements in online banking are often made in academic proposals. Testing of these proposals could provide vital information for designing new systems and for proposing further improvements. A modular evaluation framework, presented as a virtual bank, could provide a common ground for testing and reduces the overhead of setting up experiments. We propose such a framework for testing secure usability in online banking, since it does not exist to our knowledge. To validate that it would provide useful information, we created a first proof of concept to measure secure usability user behavior with two different authentication methods in an experiment. The results confirm that online bank users pay more attention to security actions after they noticed that they have been attacked. We were also able to conclude that of two tested authentication methods, one is significantly faster in use compared to the other. These results validate that the envisioned framework will be able to provide useful information. What we learned from the proof of concept will be used in the development of a modular evaluation framework, which we will release in the near future as open source for others to experiment with. About the second part: In customer to bank communications, banks often employee a transaction authorization scheme known as 'What You See Is What You Sign' (WYSIWYS). In this scheme, the user sends information over an insecure channel to the bank, after which the bank sends the received information back over a secure channel to the user for verification. Last year, we proposed an alternative named 'What You Enter Is What You Sign (WYEIWYS, also presented during a DS Lunch). In this proposed scheme, the information provided by users is initially sent to the bank over a secure channel, which makes it unnecessary for users to verify the information afterwards on correctness. In the second part of the talk I will briefly explain the principles of WYSIWYS and WYEIWYS (for those who missed that particular DS Lunch) before I will tell more about an envisioned WYEIWYS implementation. For the latter I request your insights. The idea is very fresh and a first proof of concept is still in development. Questions from my side will be related to the use of cryptography (is this secure in theory?) and whether you can suggest other improvements or alternative ideas which I simply did not think of. • Friday, 30th of October 2015 at 12:40 A Semi-Parametric Approach for Side-Channel Attacks on Protected RSA Implementations by Łukasz Chmielewski Side-channel attacks on RSA aim at recovering the secret exponent by processing multiple power or electromagnetic traces. The exponent blinding is the main countermeasure which avoids the application of classical forms of side-channel attacks, like SPA, DPA, CPA and template attacks. Horizontal attacks overcome RSA countermeasures by attacking single traces. However, the processing of a single trace is limited by the amount of information and the leakage assessment using labeled samples is not possible due to the exponent blinding countermeasure. In order to overcome these drawbacks, we propose a side-channel attack framework based on a semi-parametric approach that combines the concepts of unsupervised learning, horizontal attacks, maximum likelihood estimation and template attacks in order to recover the exponent bits. Our method is divided in two main parts: learning and attacking phases. The learning phase consists of identifying the class parameters contained in the power traces representing the loop of the exponentiation. We propose a leakage assessment based on unsupervised learning to identify points of interest in a blinded exponentiation. The attacking phase executes a horizontal attack based on clustering algorithms to provide labeled information. Furthermore, it computes confidence probabilities for all exponent bits. These probabilities indicate how much our semi-parametric approach is able to learn about the class parameters from the side-channel information. • Friday, 23rd of October 2015 at 12:40 Towards practical attribute-based signatures by Brinda Badarinath Hampiholi An attribute-based signature (ABS) is a special digital signature created using a dynamic set of issued attributes. For instance, a doctor can sign a medical statement with his name, medical license number and medical specialty. These attributes can be verified along with the signature by any verifier with the correct public keys of the respective attribute issuers. This functionality not only makes ABS a much more flexible alternative to the standard PKI-based signatures, but also offers the ability to create privacy-preserving signatures. However, none of the ABS constructions presented in the literature is practical or easily realizable. In fact, to the best of our knowledge, there is currently no ABS implementation used in practice anywhere. This is why we put forward a new ABS technique based on the IRMA attribute-based authentication. IRMA already has an efficient and practical smart-card implementation, and an experimental smart-phone implementation too. They are currently used in several pilot projects. In the paper that was recently presented at the SPACE conference, we propose an ABS scheme based on the existing IRMA technology, extending the currently available IRMA devices with ABS functionality. We study the practical issues that arise due to the introduction of the signature functionality to an existing attribute-based authentication scheme, and we propose possible cryptographic and infrastructural solutions. We also discuss use cases and implementation aspects. • Friday, 16th of October 2015 at 12:40 An efficient self-blindable attribute-based credential scheme by Sietse Ringers An attribute-based credential scheme is a set of cryptographic protocols in which an issuer can grant a credential to a user, who can then show it to other parties. The credential contains several attributes; i.e., pieces of data, generally statements about the owner of the credential. In such a scheme, the user can selectively show some of the attributes contained in his credential, while hiding the others. The scheme should be unforgeable (that is, only the issuer can create new credentials), and ideally, it should not be possible to tell if two transactions in which the same attributes were disclosed did or did not originate from the same credential (this is called unlinkability). A number of such attribute-based credential schemes exist. However, finding schemes that satisfy all of the above demands while still being sufficiently efficient for implementation on smart cards is something of a challenge. In this talk we present a new attribute-based credential scheme that is provably unforgeable, unlinkable, and suitable for smart cards, based on bilinear pairings on elliptic curves and an intractability assumption called the Known Exponent Assumption. • Friday, 9th of October 2015 at 12:40 Strengthening Authentication with Privacy-Preserving Location Verification of Mobile Phones by Diego A Ortiz-Yepes Mobile devices are increasingly used in security sensitive contexts such as physical access control and authorisation of payment transactions. In this work we contribute a mechanism to verify whether a mobile device currently resides within a geographical area at a given time, thus enabling the use of the location as an additional authentication factor. Trustworthiness, privacy, and practicability are central to our mechanism. In particular, to provide trustworthy location information, our mechanism uses the location of the phone as detected by the Mobile Network Operator instead of relying on the location detected by the phone itself, which can be manipulated. We have followed a privacy-by-design approach to ensure that sensitive information, e.g., location and subscriber data, are only revealed to parties with a need to know. Privacy safeguards are realized using anonymous credentials, an established privacy-enhancing technology. Finally, our mechanism is practical and has little requirements on the mobile phone beyond the ability to run computations on anonymous credentials, as well as Internet and mobile network connectivity. These requirements are fulfilled by most smart phones in the market. • Friday, 2nd of October 2015 at 12:40 A differential-nonce attack on Megamos Crypto. by Ronny Wichers Schreur After a two-year delay because of legal issues Roel, Barıs and Flavio’s paper "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer" was presented at Usenix last month. This now also gives me the opportunity to present a different attack I developed on Megamos Crypto. • Friday, 25th of September 2015 at 12:30 No DS Lunch (CWG meeting in Utrecht) • Friday, 18th of September 2015 at 12:40 No DS Lunch (DS group event) • Friday, 11th of September 2015 at 12:40 A new attack on Mifare Classic: A Classic example of crypto gone bad by Carlo Meijer Despite a series of attacks, Mifare Classic is still the world's most widely deployed contactless smartcard on the market. The Classic uses a proprietary stream cipher Crypto1 to provide confidentiality and authentication. However, once the cipher was reverse engineered, many serious vulnerabilities surfaced and a number of attacks were proposed. The most severe key recovery attacks only require wireless interaction with a card. These card-only attacks are considered the most serious threat, since it allows for avoiding camera detection, which is often present at an access control or public transport gate. Consequently, system intregrators started to deploy "fixed" Mifare Classic cards, wherein some issues are fixed while remaining backwards compatible. This averts all card-only attacks currently proposed in the literature. However, these countermeasures are rather palliating and inadequate for an insecure cipher such as Crypto1. In support of this proposition we present a novel card-only attack, independent of fixable implementation flaws. Hence, in order to avoid this attack, backwards compatibility is inherently broken and all cards and readers must be upgraded. • Thursday, 10th of September 2015 at 13:30 The core component of cryptocurrencies: Consensus Mechanisms, an overview by Tommy Koens The main challenge of any decentralized untrusted cryptocurrency network is reaching consensus amongst its participants on the validity of transactions. Besides reaching consensus, many other issues exist within decentralized cryptocurrencies, including power consumption, DDoS attacks and tattoos. Reaching consensus is achieved by proof-of-methods (dubbed consensus mechanisms), for example proof-of-work in Bitcoin, or proof-of-stake in Peercoin. Also, many other consensus mechanisms exist, including a blockchainless consensus mechanism. This talk will provide an overview of consensus mechanisms, their types, variants, differences and the issues they solve in decentralized cryptocurrencies. • Friday, 4th of September 2015 at 12:40 SPHINCS -- practical stateless hash-based signatures by Peter Schwabe All asymmetric cryptography that is widely deployed today can be broken in polynomial time by a large quantum computer, once such a computer exists. Post-quantum cryptography proposes alternatives that, as far as we know, will not be efficiently broken by a large quantum computer. One of the best understood post-quantum cryptographic constructions are hash-based signatures. Their security relies solely on certain standard properties of a cryptographic hash-function, they are resonably efficient and both signatures and keys are short. The big problem is that they are stateful, i.e., the secret key needs to be updated after each signature. This poses various problems for practical deployment when considering backups, load balancing, or even typical APIs for signatures. In this talk I will present SPHINCS as the first efficient stateless hash-based signature scheme. • Tuesday, 1st of September 2015 at 14:30 Software Analysis Methods for Resource-Sensitive Systems by Rody Kersten • Tuesday, 1st of September 2015 at 11:00 Mini-symposium on software analysis on the occasion of defence by Rody Kersten • Friday, 28th of August 2015 at 12:40 Mining contrasting permission patterns for clean and malicious applications Requirements by Veelasha Moonsamy The Android platform uses a permission model that allows users and developers to regulate access to private information and system resources required by applications. These permissions have proven to be useful for inferring behaviours and characteristics of an application. Existing work have demonstrated several techniques to study ‘required’ permissions; however, little attention has been paid towards ‘used’ permissions. In this talk, I will present a pattern mining algorithm which can be applied to identify contrasting permission patterns that aim to detect the difference between clean and malicious applications. Our empirical results suggest that the permission patterns can capture key differences between clean and malicious applications, which can assist in characterising these two types of applications during malware triage. • Thursday, 27th of August 2015 at 14:30 Lessons learned in the analysis of the EMV and TLS security protocols by Joeri de Ruiter • Friday, 10th of July 2015 at 12:40 Leave Nothing to Chance: Efficient Higher-Order Masking with Reduced Randomness Requirements by Kostas Papagiannopoulos Cryptographic implementations are vulnerable to side channel analysis. To prevent this, masking schemes randomly split the sensitive values into d+1 shares, where d is the order of the scheme. However, using a dth order masking scheme such as the Ishai, Sahai and Wagner scheme (ISW) to secure a non-linear operation, requires an amount of random bits witch is quadratic with respect to the order d. In this work, we use two approaches to resolve this problem. First, we suggest a new higher-order masking scheme that can merge linear and non-linear operations in order to eliminate the quadratic randomness requirement. Second, we demonstrate how an imperfect, yet realistic adversarial model can lead to a relaxed notion of security that enables masking schemes with reduced randomness requirements. • Friday, 3rd of July 2015 at 12:40 Cross-layer invariants for NoCs by Freek Verbeek One of the major challenges in the design and verification of manycore systems is cache coherency. In bus-based architectures, this is a well-studied problem. When replacing the bus by a communication network, however, new problems arise. Cross-layer deadlocks can occur even when the protocol and the network are both deadlock-free when considered in isolation. To counter this problem, we propose a methodology for deriving cross-layer invariants. These invariants relate the state of the protocols run by the cores to the state of the communication network. We show how they can be used to prove the absence of cross-layer deadlocks. Our approach is generally applicable and shows good scalability. • Friday, 5th of June 2015 at 12:40 No DS Lunch (Croatia Summer school week) • Friday, 26th of June 2015 at 12:40 no DS Lunch • Friday, 19th of June 2015 at 12:40 Online Template Attacks on ECC by Louiza Papachristodoulou Template attacks are a special kind of side-channel attacks that work in two stages. In a first stage the attacker builds up a database of template traces collected from a device similar to the target device. In the second stage, traces from the target device are compared to the template traces to recover the secret key. In the context of attacking elliptic-curve scalar multiplication with template attacks, one can interleave template generation and template matching and reduce the amount of template traces. In this presentation, we are going to show this technique by defining and applying the concept of online template attacks, a general attack technique with minimal assumptions for an attacker, who has very limited control over the template device. • Friday, 12th of June 2015 at 12:40 No DS Lunch • Friday, 29th of May 2015 at 12:40 State Space Explosion: Facing the Challenge by Jeroen Keiren When processes run in parallel, the total number of states in a system grows exponentially; this is typically referred to as the state space explosion problem. The holy grail in model checking is finding a way in which we can effectively cope with this state space explosion. In this talk I discuss a line of research in which we use an equational fixed point logic and parity games as a basis for verification. I will focus on the latter, and discuss ideas that can be used to reduce these parity games. For those wondering whether this general theory has any applications at all I discuss industrial applications of this technology. If you want to know what these applications are, come listen to my talk! • Friday, 22nd of May 2015 at 12:40 No DS Lunch (CWG meeting in Utrecht) • Friday, 22nd of May 2015 at 12:40 CWG meeting in Utrecht • Friday, 15th of May 2015 at 12:40 No DS Lunch (Ascension Day) • Friday, 8th of May 2015 at 12:40 No DS Lunch (lecture free time) • Friday, 1st of May 2015 at 12:30 No DS Lunch (PI.lab quarterly meeting) • Friday, 1st of May 2015 at 13:00 Symposium: Surveillance, Big Data and Digital Rights • Friday, 24th of April 2015 at 12:40 An overview of the ERC project: quantum logic and security by Bart Jacobs • Tuesday, 21st of April 2015 at 14:30 The (in)security of proprietary cryptography by Roel Verdult • Friday, 17th of April 2015 at 12:40 Automatic Extraction of Micro-Architectural Models of Communication Fabrics from Register Transfer Level Designs by Sebastiaan Joosten Multi-core processors and Systems-on-Chips are composed of a large number of processing and memory elements interconnected by complex communication fabrics. These fabrics are large systems made of many queues and distributed control logic. Recent studies have demonstrated that high levels models of these networks are either tractable for verification or can provide key invariants to improve hardware model checkers. Formally verifying Register Trans- fer Level (RTL) designs of these networks is an important challenge, yet still open. This work bridges the gap between high level models and RTL designs. We propose an algorithm that from a Verilog description automatically produces its corresponding micro-architectural model. The extracted model is transfer equivalent to the original RTL circuit. • Friday, 10th of April 2015 at 12:40 How to Relax Assumptions in Side Channel Analysis by Baris Ege I will present our ongoing work on relaxing the assumptions made for side channel analysis. I will try to summarize our recent results without going into too much technical details. Also I'll say a few words about recent masking techniques and their shortcomings that we have spotted so far. • Friday, 3rd of April 2015 at 12:40 No DS Lunch (Good Friday) • Friday, 27th of March 2015 at 12:40 A Dependent Type System for Energy Consumption Analysis by Bernard van Gastel Energy is becoming a key resource for IT systems. It can be essential for the success of a system under development to be able to analyse and optimise its resource consumption. Recently, a hardware parametric approach has been proposed [joint work with Marko and Rody], that involves creating energy models for hardware components and passing the hardware models as a parameter to the analysis of the software that controls the system. This analysis uses an energy aware Hoare logic. However, the Hoare logic approach suffers both from lack of compositionality and from significant overshoot in the analyse bounds. For large IT systems compositionality is a key property for an analysis to be applicable in practice. This paper proposes a hardware parametric dependent type system that offers great advantages over the earlier Hoare logic approach. Not only does it achieve compositionality through the use of function signatures but it also has the potential to yield more precise bounds than the Hoare logic approach. • Friday, 20th of March 2015 at 12:40 Alternative approaches to computation and to security implementations by Ricardo Chaves This presentation will detail the ongoing work on the use of Residue Number Systems (RNS) in the computation of asymmetrical encryption algorithms and the secure usage of partial reconfigurable devices. The ability of RNS to represent large integer value as a set of smaller independent values, allows for the parallel and carry free computation of arithmetic operations. However the conversion cost associated with RNS can significantly impact the performance of the resulting systems. The usage of RNS in the implementation of asymmetrical encryption algorithms, the developed RNS coprocessor, and the obtained results will be detailed. Additionally, the concept of partial dynamic reconfiguration of FPGA devices and a solution to improve the security of this reconfiguration process will also be discussed. • Friday, 13th of March 2015 at 12:40 Language-theoretic security meets protocol state machines by Erik Poll Input languages, which describe the set of valid inputs an application has to handle, play a central role in language-theoretic security, in recognition of the fact that overly complex, sloppily specified, or incorrectly implemented input languages are the root cause of many security vulnerabilities. I'll present the ideas behind language-theoretic security to then discuss how our research using protocol state machines fits in with this. • Friday, 6th of March 2015 at 12:40 Grover’s algorithm for a quantum computer: halving the bits-of-security of hashes and symmetric ciphers. by Bas Westerbaan There are two important algorithms for a quantum computer: Shor’s and Grover’s algorithm. Shor’s algorithm is the most famous: it factors primes and solves discrete log in cubic time, completely breaking most common asymmetric ciphers like RSA, ECC and El-Gamal. The field of post quantum cryptography searches for asymmetric ciphers unaffected by Shor’s algorithm. Less spectacular, but unavoidable, is Grover’s algorithm. It allows a quantum computer to find a preimage of a$n$-bit hash with just$2^(n/2)$work. The countermeasure is easy but annoying: double the bits-of-security of every hash function and symmetric cipher. In this talk I will give an accessible explanation of Grover’s algorithm. No prior knowledge required. • Friday, 27th of February 2015 at 12:40 AutoID: Privacy and Identity by Bertus Pretorius The methods of the ISO/IEC 20248 Digital Siganture Meta Structure standard is discussed. This standard provides a compact offline verifiable data structure for RFID and Barcodes. It is also applicable for IOT and M2M. The concept of offline verifiable documents as a key function in providing trust services and accountability is demonstrated at the hand of a title deed and vehicle license plate examples. The structure of the data in a barcode and RFID for optimum read performance is also demonstrated. Albertus Pretorius represents South Africa at ISO/IEC JTC1 SC31 Automated Identification as expert and Head of Delegation. His focus in the standards work is on UHF Air Protocol, Data Structures and Security with an emphasis on performance meaurement methods. He has 20 years of experience in applied cryptography, specifically in the domain of Public Key Technologies. He is the editor, and key driver, behind the SANS 1368 and now ISO/IEC 20248 Digital Siganture Meta Structure standard. This standard provides a compact offline verifiable data structure for RFID and Barcodes. It is also applicable for IOT and M2M. • Friday, 20th of February 2015 at 12:40 Design and Evaluation of a Post-Quantum Cryptographic Co-Processor by Pedro Maat Costa Massolino Asymmetric cryptographic primitives are essential to enable secure communications in public networks or public mediums. Such primitives can be deployed as software libraries or hardware coprocessors, the latter being more commonly employed in Systems on Chip (SoC) scenarios, embedded devices, or application-specific servers. Unfortunately, the most commonly available solutions, based on RSA or Elliptic Curve Cryptography (ECC), are highly processing-intensive due to the underlying extended-precision modular arithmetic. Consequently, they are not available on highly constrained platforms. Aiming to tackle this issue, we here investigate an alternative asymmetric encryption scheme that relies on lightweight arithmetic: McEliece. This scheme is especially appealing because, being based on error correction codes, it displays a simpler arithmetic and leads to better performance when compared to RSA or ECC. To evaluate the implementation of this scheme in hardware, we propose and analyze a flexible architecture whose security level and time vs. area usage characteristics can be reconfigured as desired. Namely, the proposed architecture is suitable for all usual security levels, ranging from 80 to 256 bits. It is also very efficient, being able to perform data decryption with binary Goppa codes in 56 µs with 3402 Slices on a Xilinx Spartan-3AN FPGA, while the best known result in the literature for the same FPGA is 115 µs with 7331 Slices. Alternatively, the architecture can operate with Quasi-Dyadic Goppa (QD-Goppa) codes, which involves smaller keys than traditional binary Goppa codes. In the latter case, for an 80-bit security level, the decryption operation can take from 1.1 ms with 1129 Slices to 68 µs with 8268 Slices. By choosing a more hardware-friendly decoding algorithm, focusing hardware resources on most bottleneck operations and sharing hardware resource for two different algorithms, better results than the literature were obtained. • Friday, 6th of February 2015 at 12:40 Sublinear Scaling for Multi-Client Private Information Retrieval by Wouter Lueks Private information retrieval (PIR) allows clients to retrieve records from online database servers without revealing to the servers any information about what records are being retrieved. To achieve this, the servers must typically do a computation involving the entire database for each query. Previous work by Ishai et al. has suggested using batch codes to allow a single client (or collaborating clients) to retrieve multiple records simultaneously while allowing the server computation to scale sublinearly with the number of records fetched. In this work, we observe a useful mathematical relationship between batch codes and efficient matrix multiplication algorithms, and use this to design a PIR server algorithm that achieves sublinear scaling in the number of records fetched, even when they are requested by distinct, non-collaborating clients; indeed, the clients can be completely unaware that the servers are implementing our optimization. Our multi-client server algorithm is several times faster, when enough records are fetched, than existing optimized PIR severs. As an application of our work, we show how retrieving proofs of inclusion of certificates in a Certificate Transparency log server can be made privacy friendly using multi-client PIR. • Friday, 30th of January 2015 at 12:40 Stepping up from 5 to 50cm communication range for standard ISO14443 RFID technology by René Habraken (TechnoCentrum of FNWI) This talk presents experiments to study the practical limits of the RFID technology, more specifically ISO14443 proximity cards, used e.g. in biometric passports, public transport, and contact-less payments. Our goal was to investigate the maximum distance at which such RFID cards can be activated or read. This maximum distance has implications for security, as attackers might secretly activate cards or eavesdrop on the communication between a card and a legitimate reader. During this talk several antenna setups are discussed. Starting with a standard commercially available reader with a communication range of 5cm and ending with the current situation in which it is possible to communicate with an RFID tag at a distance of 50cm. • Friday, 23rd of January 2015 at 12:40 Clock Glitch Attacks in the Presence of Heating by Baris Ege Fault attacks have been widely studied in the past but most of the literature describes only individual fault-injection techniques such as power/clock glitches, EM pulses, optical inductions, or heating/cooling. In this work, we investigate combined fault attacks by performing clock-glitch attacks under the impact of heating. We performed practical experiments on an 8-bit AVR microcontroller which resulted in the following findings. First, we identified that the success rate of glitch attacks performed at an ambient temperature of 100°C is higher than under room temperature. We were able to induce more faults and significantly increase the time frame when the device is susceptible to glitches which makes fault attacks easier to perform in practice. Second, and independently of the ambient temperature, we demonstrate that glitches cause individual instructions to repeat, we are able to add new random instructions, and we identified that opcode gets modified such that address registers of individual instructions get changed. Beside these new results, this is the first work that reports results of combined glitch and thermo attacks. • Thursday, 15th of January 2015 at 10:30 Attributed-based identity managment by Gergely Alpar Promotor Bart Jacobs • Tuesday, 13th of January 2015 at 14:00 Discussion of the paper 'An Efficient and Usable Multi-show Non-transferable Anonymous Credential System' by Jaap-Henk Hoepman The paper is available at http://libeccio.di.unisa.it/PINO/PAPERS/fc04.pdf • Friday, 9th of January 2015 at 12:40 Searching for privacy in medical data distribution by Christiaan Hillen • Friday, 12th of December 2014 at 12:40 No DS Lunch (PI Lab meeting) • Friday, 5th of December 2014 at 12:40 Another explanation of BitCoins, for first year students. by Bart Jacobs • Friday, 28th of November 2014 at 12:40 No DS Lunch (PhD Defence) • Friday, 28th of November 2014 at 10:30 Efficient Implementations of Attribute-Based Credentials on Smart Cards by Pim Vullers Promotor Bart Jacobs • Friday, 21st of November 2014 at 12:40 Mining Github for fun and profit (and short intro of Georgios) by Georgios Gousios (new UD at DS, starting 1 January) With over 10.6 million repositories and 1.5 users, GitHub is currently the largest code hosting site in the world. Software engineering researchers have been drawn to GitHub due to this popularity, as well as its integrated social features and the metadata that can be accessed through its API. To make research with GitHub data approachable, we created the GHTorrent project, a scalable, off-line mirror of all data offered through the GitHub API. In our talk, we describe how we setup GHTorrent, how we build a community around it and what types of research it has been used for (including ours). • Tuesday, 18th of November 2014 at 14:00 Discussions about the paper Unpicking PLAID – A Cryptographic Analysis of an ISO-standards-track Authentication Protocol” by Jean Paul Degabriele et al. by Wouter Lueks The paper is available at: https://eprint.iacr.org/2014/728 . It describes attacks on an authentication protocol PLAID -- a simpler cousin of IRMA. While the paper illustrates that security proofs are essential, I will also sketch why security proofs could have been deceptive in this instance. • Friday, 14th of November 2014 at 15:00 Discussion about the proposal for new laws to allow hacking by police by Lodewijk van Zwieten (National Prosecutor for High Tech Crime, employed at National Public Prosecutor's Office) There will be drinks afterwards in the Mecator 1 building. • Friday, 14th of November 2014 at 12:40 Privacy in Quantum Communication Complexity by Mathys Rennela One question that has received a lot of attention recently in quantum communication complexity is whether it is possible to perform quantum communication protocols in a private way. In this talk, we investigate the difference between two widely used concepts of privacy and we construct private quantum protocols for computing the Inner Product function and for Private Information Retrieval. See the paper on http://arxiv.org/abs/1409.8488 . • Friday, 7th of November 2014 at 12:40 An end-to-end security design for smart EV-charging for Enexis and ElaadNL by LaQuSo by Bárbara Vieira This talk will address the work that we (me and Fabian) have been doing regarding to the proposal of a security architecture for the Smart Electrical Vehicle Charging project developed by Enexis DSO. • Thursday, 30th of October 2014 at 12:40 DNSSEC and Its Potential for DDoS Attacks - A Comprehensive Measurement Study by Roland van Rijswijk-Deij (UT, former DS) Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in particular reflection and amplification attacks. DNS responses for a DNSSEC-signed domain are typically larger than those for an unsigned domain, thus, it may seem that DNSSEC could actually worsen the problem of DNS-based DDoS attacks. The potential for abuse in DNSSEC-signed domains has, however, never been assessed on a large scale. We have established ground truth around this open question. We performed a detailed measurement on a large dataset of DNSSEC-signed domains, covering 70% (2.5 million) of all signed domains in operation today, and compare the potential for amplification attacks to a representative sample of domains without DNSSEC. At first glance, the outcome of these measurements confirms that DNSSEC indeed worsens the DDoS phenomenon. Closer examination, however, gives a more nuanced picture. DNSSEC really only makes the situation worse for one particular query type (ANY), for which responses may be over 50 times larger than the original query (and in rare cases up to 179×). We also discuss a number of mitigation strategies that can have immediate impact for operators and suggest future research directions with regards to these mitigation strategies. • Friday, 24th of October 2014 at 12:40 Parsers Identification and Analysis in Embedded Systems by Lucian Cojocar (Vrije Universiteit Amsterdam) Many embedded systems are responsible for the security and safety of critical infrastructures. They are integrated in large environments and need to support several communication protocols to interact with other devices or with users. Interestingly, such firmware often implements protocols that deviate from their original specifications, some are extended with additional features, while others are completely undocumented. Furthermore, such embed parsers often consist of complex C code which is optimized to improve performance. However, this code is rarely designed with security in mind, e.g., it lacks proper input validation, which often makes those devices vulnerable to memory corruption attacks. Furthermore, most embedded designs are closed source and third parties security evaluations are only possbile from the binary firmware. In our latest work we propose a methodology to identify and analyze parsers present in embedded firmware without access to its source code or documentation. We first locate and select parsing code statically then we record memory interactions while the firmware is executed and we extract information from the memory transactions. These steps are performed automatically, and make possible to rank the discovered functions according to their probability of containing a parser. We then re-execute the firmware using symbolic and concolic execution while replaying the previously recorded I/O memory transactions. Finally, we demonstrate how our technique can be used to identify firmware components treating a peripheral’s input, perform automated reverse engineering to extract protocols, and discover and analyze bugs on four widely used devices: a Hard Disk Drive (HDD), a Programmable Logic Controller (PLC), a Power Meter and a GPS Receiver. • Friday, 17th of October 2014 at 12:40 • Friday, 17th of October 2014 at 12:40 Improving Coverage of Test-Cases Generated by Symbolic PathFinder for Programs with Loops by Rody Symbolic execution is a program analysis technique that is used for many purposes, one of which is test-case genera- tion. For loop-free programs, this generates a test-set that achieves path coverage. Program loops, however, imply ex- ponential growth of the number of paths in the best case and non-termination in the worst case. In practice, the number of loop unwindings needs to be bounded for analysis. We consider symbolic execution in the context of the tool Symbolic Pathfinder. This tool extends the model-checker Java Pathfinder and relies on its bounded state-space ex- ploration for termination. We present an implementation of k-bounded loop unwinding, which increases the amount of user-control over the symbolic execution of loops. Bounded unwinding can be viewed as a naive way to prune paths through loops. When using symbolic execu- tion for test-case generation, naively pruning paths is likely at the cost of coverage. In order to improve coverage of branches within a loop body, we present a technique that semi-automatically concretizes variables used in a loop. The basic technique is limited and we therefore present annota- tions to manually steer symbolic execution towards certain branches, as well as ideas on how the technique can be ex- tended to be more widely applicable. • Thursday, 16th of October 2014 at 19:30 Big Data, Small Politics by Evgeny Morozov Big Data hebben de toekomst. Dankzij goedkope sensoren en grote digitale geheugens wordt mogelijk enorme hoeveelheden gegevens te bewerken. Deskundigen hopen daarmee maatschappelijke problemen aan te pakken, variërend van obesitas tot klimaatverandering. Sommigen dromen er zelfs van het politieke proces deels te kunnen vervangen door ‘algoritmische zelfregulering’. Zullen deze zelfreguleringstechnieken wel effectief zijn? En áls ze effectief zijn, wat zijn dan de ethische gevolgen? Deelname: €7,-. Meer info op: http://www.ru.nl/soeterbeeckprogramma/agenda/overzicht_op_datum/vm/lezingen/2014/big-data-small/ • Friday, 10th of October 2014 at 12:40 Establishing and evaluating a component-based framework for the design, specification and implementation of programming languages by Peter Mosses (University of Swansea) For the occasion of the Ph.D. defence of Ken Madlener 'Formally Verified Modular Semantics', Peter Mosses is our guest for a few days. He will talk about the PLanCompS project. This is a 4-year joint research project based at Swansea, Royal Holloway and City, funded by EPSRC, started in September 2011. It aims to establish and test the practicality of a component-based framework for the design, specification and implementation of programming languages. The main novelty will be the creation of a substantial collection of highly reusable, validated language components called fundamental constructs or funcons. Crucially, the semantic specification of each funcon will be independent, not needing any reformulation when funcons are combined or new funcons added to the collection. All specifications will be provided online in an open access repository, with browsing and searching supported by a digital library interface. Some references of work by Peter Mosses. - Reusable Components of Semantic Specifications. Churchill M., Mosses P.D. and Torrini P., Modularity 2014. - Deriving Pretty-Big-Step Semantics from Small-Step Semantics. Bach Poulsen, C. and Mosses P.D., ESOP 2014. - FunKons: Component-Based Semantics in K. Mosses, P.D. and Vesely, F., WRLA 2014. - Modular Bisimulation Theory for Computations and Values. Churchill, M. and Mosses P., FoSSaCS 2013. • Thursday, 9th of October 2014 at 12:30 Formally Verified Modular Semantics by Ken Madlener Co-promotor Sjaak Smetsers, promotor Marko van Eekelen • Tuesday, 7th of October 2014 at 14:00 Why quantum computers can factor fast by Bas Westerbaan • Friday, 3rd of October 2014 at 12:40 No DS Lunch (PI Lab meeting) • Friday, 26th of September 2014 at 12:40 The Internet - measure to understand, understand to act by Anna Sperotto (UTwente) Network-based attacks represent nowadays one of the biggest challenges for both security experts and operators. In the last couple of years, we have seen attacks on some of the basic infrastrucure of the Internet (such as DNS); volumetric attacks (mostly Distributed Denial of Service attacks) have threatened the stability of the Internet core; and the rise of the DDoS-as-a-Service phenomenon. The intensity, frequency and ease with which these attacks are being carried out clearly calls for strong countermeasures. In the past, we mainly focused on intrusion detection. Nowadays, intrusion detection is only one step. First, a prerequisite for detection is monitoring. Second, there is a need for effective attack mitigation. This presentation will provide an overview of the current research conducted at the DACS group of the University of Twente touching all the above topics in network security. • Friday, 19th of September 2014 at 12:40 A proposed application layer security mechanism for Bluetooth Low Energy by Diego In this talk we briefly explore the fundamentals of Bluetooth Low Energy and its main differences with "traditional" Bluetooth. We identify the security mechanisms that it provides and how they may be circumvented or are not available on mobile platforms. Because of that, we propose an application layer security mechanism in the form of a Bluetooth service intended to ensure authenticity and confidentiality of exchanged information. Time permitting, we show a prototype of how it can be used in practice with wireless sensors. • Friday, 12th of September 2014 at 12:40 What You Enter Is What You Sign, input integrity in an online by Sven Kiljan banking environment Current authentication methods for financial transactions in online banking often rely on the customer's computer to provide and maintain integrity. Since these computers cannot be trusted due to malware threats, banks are implementing a new scheme to provide secure verification of critical transaction details. The focus of this talk will be on the real world problem which requires banks to reconsider their used authentication methods, the new authentication scheme they implement and the major security flaw in this new scheme. We propose an alternative scheme to work around this flaw, which is easier to use and at least offers the same security. A small primer on authentication in online banking is integrated in the talk for the uninitiated. Basic knowledge of authentication schemes is helpful but not a requirement to follow the talk and participate in discussions. • Thursday, 10th of July 2014 at 12:40 Evolving Branching Heuristics for SAT-based Cryptanalysis by Frédéric Lafitte (Brussels) The language of propositional logic allows to express security properties by means of propositional rules in a precise and rigorous manner. Once a property is formulated, its automated verification can be handled by SAT solvers. This talk introduces the software package “cryptosat” and discusses its use for the generation and analysis of SAT instances encoding cryptographic algorithms from the ARX family (Addition Rotation eXclusive or). In this context, we will discuss to what extent genetic algorithms can be used in order to detect backdoors in cryptographic SAT instances. • Friday, 4th of July 2014 at 12:40 A strategic perspective on privacy by Marc van Lieshout Within TNO work is done on privacy from a strategic and policy perspective. On the strategic side we help in shaping new concepts, such as privacy by design and privacy and personal data markets, on the policy side we deal with the role of privacy in innovation and privacy and regulation. In the lunch meeting I will present the headlines of our approach and present an example for each of the headlines. • Friday, 20th of June 2014 at 12:40 Sharing files (cases) about children (Jeugdzorg) by Hans-Cees Speel (Bureau Jeugdzorg Gelderland) Today we have Hans-Cees Speel, Security Officer of Buro Jeugdzorg Gelderland, presenting the challenges of implementing an information sharing system for 'Youthcare'. The system interconnects many different organisations preventing, detecting and/or treating children with all kinds of mental/social/health problems. Obviously, the dossiers exchanged contain highly sensitive data. Hans-Cees is looking for our constructive feedback ;-) • Friday, 13th of June 2014 at 12:40 A disclosures & global mass surveillance; Yes, its bad. So what do we *do*?$ by Arjen Kamphuis (Gendo)

The EU has spent most of a year holding meetings and hearings to 'understand' the problem but has not produced a single word on what concrete actions could regain the right to privacy for its citizens now. This while a July 2001 report on Echelon, the NSA/GCHQ precursor program to the current alphabet soup, explained the scope of the problem of electronic dragnet surveillance and made practical and detailed recomendations that would have protected Europeans and their institutions had they been implemented. Currently only Germany has seen the beginnings of policies that will offer some protection for its citizens. On Friday the 13th of June I will discuss the full scope of the NSA surveillance problem, the available technological and policy solutions and some suggestions about why they have not and are not being implemented (or even discussed).

• Friday, 6th of June 2014 at 12:40
A Hoare Logic for Energy Consumption Analysis by Rody Kersten

Energy inefficient software implementations may cause bat- tery drain for small systems and high energy costs for large systems. Dynamic energy analysis is often applied to mitigate these issues. How- ever, this is often hardware-specific and requires repetitive measurements using special equipment. We present a static analysis deriving upper-bounds for energy consump- tion based on an introduced energy-aware Hoare logic. Software is con- sidered together with models of the hardware it controls. The Hoare logic is parametric with respect to the hardware. Energy models of hardware components can be specified separately from the logic. Parametrised with one or more of such component models, the analysis can statically pro- duce a sound (over-approximated) upper-bound for the energy-usage of the hardware controlled by the software.

• Friday, 30th of May 2014 at 12:40
No DS Lunch (Hemelvaart)
• Friday, 23rd of May 2014 at 12:40
IETF Inner Workings by Jelte Jansen (SIDN Labs)

The Internet Engineering Task Force (IETF) is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is mostly known for publishing protocol specifications, but it also produces informal publications and best practice documents. The talk will be about the organization of the IETF, as well as its processes and the lifecycle of publications. I will also share some experiences I've had during my participation over the years.

• Friday, 16th of May 2014 at 12:40
Automated analysis of structure-preserving signature schemes by Joeri de Ruiter

This talk will be on work done during my internship at Microsoft Research in Cambridge. I worked on automated analysis of structure-preserving signature (SPS) schemes. These schemes make use of bilinear pairings and can be very useful in the construction of new cryptographic operations like blind signatures. We can distinguish two different methods to analyse these schemes. The first method is using algebraic analysis, which relies on q-type assumptions. We developed a tool that can perform this analysis for a fixed number of oracle queries. The tool makes use of SMT solvers for the actual computations. The second method to proof SPS schemes secure is by reducing them to a known hard problem. Though this method provides stronger security guarantees, it is much harder to automate and this is still ongoing work.

• Friday, 9th of May 2014 at 12:40
The Cronto App. by Ronny Wichers Schreur

The Cronto app is an IPhone and Android app for online banking. With this app the user's phone becomes an extra authentication factor. The bank customer uses the online-banking site on his PC to enter the transaction details. The banking site displays a colour QR code that the user scans with the Cronto app on is his phone. The app displays the transaction details from the QR code on the phone, the user checks the transaction and confirms it. The app computes a response code that the users enters on the banking site on his PC. I will discuss the inner workings of the Cronto app that I learned by reverse-engineering it.

• Friday, 2nd of May 2014 at 12:40
No DS Lunch (Meivakantie)
• Friday, 25th of April 2014 at 12:40
EUROMILS: Certification of an industrial Separation Kernel by Freek Verbeek

Modern automative and aircraft industry faces the problem of designing and verifying reliable, secure and trustworthy on-board computers. As these systems must be able to control safety-critical systems such as the breaks of a car and the airbags, their certification occurs according to the highest levels set by the European governments. EUROMILS is a project funded by a European consortium with as aim a highly certified on-board chip architecture for future cars and planes. We present our part of this effort, namely the formal verification of such a chip architecture. This concerns security related properties such as non-interference between domains that may not interfere each other. For the verification we use the Isabelle theorem prover.

• Friday, 18th of April 2014 at 12:40
No DS Lunch (Goede Vrijdag)
• Friday, 11th of April 2014 at 12:40
No DS Lunch (IPA Spring Days)
• Friday, 4th of April 2014 at 12:40
ECAlogic: Hardware-Parametric Energy-Consumption Analysis of Algorithms by Marc Schoolderman

While green software is a popular topic in computer science nowadays, the average programmer still has little options for analysis of the energy-efficiency of his/her software. Analysis is mostly done dynamically, for which a complex measurement set-up is needed. Using a static analysis which predicts the energy-consumption, would be more accessible and more cost-effective. We present ECAlogic, a tool that implements a static analysis that can bound the energy consumption of algorithms. The tool is parametric with respect to a set of hardware component models. Its results are symbolic over the program parameters.

• Friday, 28th of March 2014 at 12:40
No DS Lunch (PILab meeting)
• Friday, 28th of March 2014 at 12:40
No DS Lunch (PILab meeting)
• Friday, 21st of March 2014 at 12:40
Scalable Liveness Verification for Communication Fabrics by Bas Joosten

In the realm of multi-core processors and systems- on-chip, communication fabrics constitute a key element. A large number of queues and distributed control are two important aspects of this class of designs. These aspects make decomposition and abstraction techniques difficult to apply. For this class of designs, the application of formal methods is a real challenge. In particular, the verification of liveness properties is often intractable. Communication fabrics can be seen as a set of queues and flops interconnected by combinatorial logic. Based on this simple but powerful observation, we propose a novel method for liveness verification. Our method directly applies to Register Transfer Level designs. The essential aspects of our approach are (1) to abstract away from the details of queue implementa- tions and (2) an efficient encoding of liveness properties in an SMT instance. Experimental results are promising. Designs with hundreds of queues can be analysed for liveness within minutes.

• Friday, 7th of March 2014 at 12:40
Side-Channel Leakage in the Parallel Universe by Baris Ege

Side-channel analysis is proposed in 1999 by Kocher et al. but the power of doing the analysis in the frequency domain is not utilized until 2005. Numerous following publications concentrated mostly on experimental results with only few attempting to support observations by theoretical analysis. In this paper, we start from a theoretical model of the signal and show that the algorithmic noise can amplify the leakage in the presence of Gaussian noise. On the other hand, under certain conditions, the algorithmic noise can remove the leakage acting as an SCA countermeasure. We conclude that the leaking frequencies depend on the underlying algorithmic noise and the phase between the noise and the leakage, which is overlooked by previous work so far. The observations made in the paper are also supported by experiments on a real target, and the results show that the difference can be as much as 2.5 times in terms of the number of traces required to recover the key.

• Monday, 3rd of March 2014 at 12:40
No DiS Lunch (PI Lab meeting)
• Friday, 28th of February 2014 at 12:40
The road to 'I Reveal My Attributes'... 4,5 years of my life as a PhD student by Pim Vullers

In this talk I will provide a brief overview of what kept me busy in the past 4,5 years. From OV-chipkaart to IRMAcard, and everything in between.

• Friday, 21st of February 2014 at 12:40
LEGO as offensive technology by Erik Poll

Hot on the heels of the LEGO movie, now the first penetration tester made out of LEGO! The LEGO pen-tester was built by two Austrian students, Georg Chalupar and Stefan Peherstorfer, who visited last semester, with help from Joeri de Ruiter. It can automatically reverse-engineer the implementation of an internet banking token like ABN-AMRO's e.dentifier2, using LearnLib for the inference of a finite state machine. Within a couple of hours our LEGO hacker can learn a state space in enough detail to see the difference between the old and the new version of the e.dentifier2 - revealing the security flaw in the old version and confirming that this flaw has been removed in the new version. This shows that the LEGO hacker is already cleverer than the security evaluators employed by ABN-AMRO (but that is not saying much, unfortunately...)

• Friday, 14th of February 2014 at 12:40
• Friday, 7th of February 2014 at 12:40
• Friday, 31st of January 2014 at 12:40
Security in mobile devices by Jan Brands, NXP

Should we be worried about malware on smartphones and tablets? Can private data be stolen, phone calls be recorded and location data be used to track us? How serious are such threats? How secure are these devices really? By giving an in-depth overview of the security architecture of mobile devices we will try to address these questions, indicate the risks and highlight recent trends, such as ARM TrustZone and Mobile TPM.

• Friday, 24th of January 2014 at 12:40
Mechanized operational semantics, ACL2, and AVR assembly code verification by Julien Schmaltz

The AVR micro-controller is often integrated in small and secure devices. In this talk, I will give a short introduction about mechanized operational semantics and how one can use the ACL2 theorem prover to verify AVR assembly code. I do not assume any pre-requisite and will do my best to make the talk accessible to every one.
My long term goals are (1) the verification of AVR cryptographic primitives and libraries and (2) explore the possibility of deriving symbolic power traces. These are very early research ideas and I would be happy to discuss them with you and hear about your feedback.

• Friday, 17th of January 2014 at 12:40
• Friday, 10th of January 2014 at 12:40
• Friday, 13th of December 2013 at 12:40
Discussion about student mail in a cloud by Marien de Clercq and others from the UCI (computer services department of the university)

The Radboud University Nijmegen is planning to outsource her student mail facility. Since providing student mail is not a core business of the university, the board has decided to stop facilitating it ourselves, starting at the next academic year (summer 2014). Because the mail addresses the RU provides (@student.ru.nl) are the only addresses we use to communicate with our students and because in a number of cases students like to have an address that shows they are a student at our university, we plan to migrate this service to "the cloud". We would like to discuss the possibilities and threats of the migration of @student.ru.nl to the cloud, to be able to take your insights into account, as the project is just starting.

• Friday, 6th of December 2013 at 15:30
Counter Profiling: User Empowerment for Enhanced Online Presence Management (USEMP) by Mireille Hildebrandt

• Friday, 6th of December 2013 at 12:40
Algebraic structure of computational effects by Sam Staton

I will discuss how ideas from universal algebra can be used to axiomatize equations between programs. I'll focus on my completeness result for a local store monad. I recently joined the DS group (I'm working with Bart Jacobs) and this will be a fairly high level and accessible talk to introduce myself.

• Friday, 22nd of November 2013 at 12:40
Digital and Electronic Signatures: New Technology and Law by Fabian van den Broek

This talk will give short overview of the current legal framework for electronic signatures and discuss the new recommendations from the ECB for strong authentication. I will give an example of a setup usable for creating server-based signatures: so personal signatures created in a cloud. We can then discuss whether these server-based signatures fit within the presented legal frameworks and recommendations.

• Friday, 1st of November 2013 at 12:40
A security protocol for information-centric networking in Smart Grids by Bárbara Vieira

The C-DAX project aims at providing a secure overlay network, as an overlay over an IP network, that provides an information-centric network (ICN) tailored to the needs and the capabilities of smart grids. In this talk we will address how end-to-end security can be enforced in information-centric networks by proposing a protocol based on the concept of identity-based encryption, a type of public-key cryptography.

• Friday, 25th of October 2013 at 12:40
Using Trusted Execution Environments in Two-factor Authentication: comparing approaches by Roland van Rijswijk-Deij

Classic two-factor authentication has been around for a long time and has enjoyed success in certain markets (such as the corporate and the banking environment). A reason for this success are the strong security properties, particularly where user interaction is concerned. These properties hinge on a security token being a physically separate device. This paper investigates whether Trusted Execution Environments (TEE) can be used to achieve a comparable level of security without the need to have a separate device. To do this, we introduce a model that shows the security properties of user interaction in two-factor authentication. The model is used to examine two TEE technologies, Intel’s IPT and ARM TrustZone, revealing that, although it is possible to get close to classic two-factor authentication in terms of user interaction security, both technologies have distinct drawbacks. The model also clearly shows an open problem shared by many TEEs: how to prove to the user that they are dealing with a trusted application when trusted and untrusted applications share the same display

• Friday, 18th of October 2013 at 12:40
Elligator: Elliptic-curve points indistinguishable from uniform random strings by Anna Krasnova

Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship- circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly so- phisticated deep-packet inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptogra- phy often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits.
We introduce high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings.

• Friday, 11th of October 2013 at 12:40
Generation of Inductive Invariants from Register Transfer Level Designs of Communication Fabrics by Bas Joosten

Communication fabrics constitute a key component of multicore processors and systems-on-chip. To ensure correctness of communication fabrics, formal methods such as model checking are essential. Due to the large number of buffers and the distributed character of control, applying these methods is challenging. Recent advancements in the verification of communication fabrics have demonstrated that the use of inductive invariants provides promising results towards scalable verification of Register Transfer Level (RTL) designs. In particular, these invariants are key in the verification of progress properties. Such invariants are difficult to infer. So far, they were either manually or automatically derived from a high-level description of the design. Important limitations of these approaches are the need for the high-level model and the necessary match between the model and the RTL design. We propose an algorithm to automatically derive these invariants directly from the RTL design. We consider communication fabrics to be a set of message storing elements (e.g. buffers) and some routing logic in-between. The only input required by our method is a definition of when messages enter or leave a buffer. We then exploit this well-defined buffer interface to automatically derive invariants about the number of packets stored in buffers. For several previously published examples, we automatically generate the exact same invariants that were either manually or automatically derived from a high-level model. Experimental results show that the time needed to generate invariants is a few seconds even for large examples.

• Friday, 4th of October 2013 at 12:40
Prevent Session Hijacking by Binding the Session to the Cryptographic Network Credentials by Willem Burgers

Many cyber-physical applications are responsible for safety critical or business critical infrastructure. Such applications are often controlled through a web interface. They manage sensitive databases, drive important SCADA systems or represent imperative business processes. A vast majority of such web applications are well-known to be vulnerable to a number of exploits. The focus of this paper is on the vulnerability of session stealing, also called session hijacking. We developed a novel method to prevent session stealing in general. The key idea of the method is binding the securely negotiated communication channel to the application user authentication. For this we introduce a server side reverse proxy which runs independently from the client and server soft- ware. The proposed method wraps around the deployed infrastructure and requires no alterations to existing software. This presentation discusses the technical encryption issues involved with employing this method. We de- scribe a prototype implementation and motivate the technical choices made. Furthermore, the prototype is validated by applying it to secure the particularly vulnerable Blackboard Learn system, which is a important and critical infrastructural application for our university. We concretely demonstrate how to protect this system against session stealing.

• Friday, 27th of September 2013 at
Financial malware and underground economics. by Stan Hegt and Pieter Ceelen

• Friday, 6th of September 2013 at
pol, commandline password manager with deniable encryption by Bas Westerbaan.

The best way to keep a secret, is being able to deny you are keeping any. *pol* is a commandline password manager with deniable encryption. A safe can have multiple containers filled with secrets. Each container has its own password. With only one password, an adversary cannot prove that there is another container. This is true, even if the adversary has multiple versions of the safe, with changes in the other container. In this talk, I will explain the cryptography behind pol.
I will focus on those parts of which I, as an amateur cryptographer, am not sure whether they are safe or optimal. More information can be found at: http://github.com/bwesterb/pol

• Tuesday, 2nd of July 2013 at
Using Lua features to implement a syntax-based test generator. by Anamaria Martins Moreira

• Friday, 28th of June 2013 at
Improving the security of Android devices for the Dutch government. by Gerben van der Lei (Fox-IT) and others

• Friday, 7th of June 2013 at
Real numbers in homotopy type theory by Bas Spitters

• Friday, 31st of May 2013 at
Forward Secure and Efficient Distributed Encryption. by Wouter Lueks

• Friday, 24th of May 2013 at
Time-Dependent Analysis of Attacks. by Marielle Stoelinga

• Friday, 3rd of May 2013 at
Femtocell Security in Theory and Practice. by Fabian van den Broek

• Friday, 26th of April 2013 at
The Elitzur-Vaidman bomb tester. by Robert Furber

• Friday, 12th of April 2013 at
We don't need no education (or: using DNS to DDoS your school). by Roland van Rijswijk-Deij

• Friday, 5th of April 2013 at
Battle of domains in side channel analysis (time VS frequency). by Baris Ege

• Friday, 22nd of March 2013 at

• Friday, 15th of March 2013 at
Corsa audit. by Maik Keeris (Documentaire Informatie Voorziening Archief, RU)

• Friday, 8th of March 2013 at
Using Model-Checking to Reveal a Vulnerability of Tamper-Evident Pairing. by Rody Kersten

• Friday, 1st of March 2013 at
Consent to behavioural targeting, a behavioural law and economics view. by Frederik Zuiderveen Borgesius (IViR)

• Friday, 15th of February 2013 at
Towards the Automatic Application of Countermeasures Against Physical Attacks. by Francesco Regazzoni (TU Delft)

• Friday, 8th of February 2013 at
On Privacy Aware Cloud Data Storage. by Anna Krasnova

• Friday, 1st of February 2013 at
Strong authentication to strengthen the security of the systems at the Radboud University. by Marijn van Beers (UCI)

• Friday, 25th of January 2013 at
Crypto in theory and practice. by Gergely Alpar

• Friday, 11th of January 2013 at
EURO-MILS: formele verificatie van een separation kernel. by Freek Verbeek.

• Thursday, 6th of December 2012 at
Introducing myself by Peter Schwabe

• Friday, 30th of November 2012 at
Formal verification of cryptographic software implementations. by Barbara Vieira

• Friday, 23rd of November 2012 at
Scapy, a small tutorial. by Fabian van den Broek

• Friday, 16th of November 2012 at
Quantifying effort in the enhancement of commercial off-the-shelf software. by Sven Kiljan

• Friday, 2nd of November 2012 at
Differential Scan Attack on AES with X-Tolerant and X-Masked Test Response Compactor. by Baris Ege

• Friday, 26th of October 2012 at
Meeting Bachelor programm cybers security. by Bart Jacobs

• Friday, 19th of October 2012 at
Making Resource Analysis Practical for Real-Time Java. by Rody Kersten

• Friday, 28th of September 2012 at
DS hacking class. by Ronny Wichers Schreur

• Friday, 21st of September 2012 at
U-Prove, Windows Phone & NFC. by Pim Vullers

• Friday, 31st of August 2012 at
Personal data management and the QIY platform. by Marcel van Galen (QIY)

• Friday, 29th of June 2012 at
"IRMA" (I Reveal My Attributes). by Bart Jacobs

• Friday, 8th of June 2012 at
A SimToolkit man-in-the-middle. by Sjors Gielen

• Friday, 1st of June 2012 at
Thoughts about homotopy type theory. by Bas Spitters

• Friday, 11th of May 2012 at
Mobile device security. by Pieter Ceelen (KPMG)

• Friday, 27th of April 2012 at
Flexible DNSSEC Key Rollovers. by Matthijs Mekking (NLnet Labs)

• Friday, 30th of March 2012 at
State machine learning in security. by Sicco Verwer

• Friday, 23rd of March 2012 at
A very very gentle introduction to Category Theory. by Bas Joosten

• Friday, 9th of March 2012 at
Towards memory models in network-on-chips using message dependencies. by Bernard van Gastel

• Friday, 24th of February 2012 at
Distributed trust. by Klaus Kursawe

• Friday, 17th of February 2012 at
Dismantling of the Bredolab botnet. by Merel Koning

• Friday, 3rd of February 2012 at
Evaluatie Internet recherche netwerk. by Ronny Wichers Schreur

• Friday, 27th of January 2012 at
Univariate Polynomial Solutions of Polynomial Difference equations. by Olha Shkaravska

• Friday, 20th of January 2012 at
The ZTIC. by Diego Ortiz (IBM Research)

• Friday, 13th of January 2012 at
Robustness of behavioral equations under operational extensions. by Ken Madlener

• Friday, 16th of December 2011 at
Memory encryption in smart cards. by Baris Ege

• Friday, 9th of December 2011 at
How to break the CanYouCrackIt.co.uk challenge. by Roel Verdult

• Friday, 2nd of December 2011 at
How to outSmart cards. by Gerhard de Koning Gans

• Friday, 18th of November 2011 at
Time-Memory Trade-Off attacks on Stream ciphers. by Fabian van den Broek

• Friday, 4th of November 2011 at
Formalizing the C99 standard. by Robbert Krebbers

• Friday, 28th of October 2011 at
Securing the Critical Infrastructures at the Time of Stuxnet. by Damiano Bolzoni (UTwente)

• Friday, 21st of October 2011 at
Zero-knowledge proofs in anonymous credential systems. by Gergely Alpar

• Friday, 14th of October 2011 at
The Camenisch-Lysyanskaya signature scheme. by Pim Vullers

• Friday, 16th of September 2011 at
Times were when crypto devices were "fail-safe". by Cees Jansen (Compumatica)

• Friday, 8th of July 2011 at
Self-blindable credentials. by Wouter Lueks

• Friday, 10th of June 2011 at

• Friday, 13th of May 2011 at
Exposing iClass Key Diversification. by Flavio Garcia

• Friday, 29th of April 2011 at
Computer certified efficient exact reals in Coq. by Bas Spitters

• Friday, 8th of April 2011 at
Formal analysis of watermarking protocols. by David Williams

• Thursday, 31st of March 2011 at
StemWeb. by Erik Schierboom

• Friday, 25th of March 2011 at
Try-out of a Challenge-Response Hack Lecture. by Ronny Wichers Schreur

• Friday, 18th of March 2011 at
Formal Analysis of the EMV Protocol Suite. by Joeri de Ruiter

• Friday, 11th of March 2011 at
Running our own cell tower, the start of FabRon telecom. by Fabian van den Broek

• Friday, 4th of March 2011 at
Test-based inference of polynomial ranking functions for loops. by Rody Kersten

• Friday, 25th of February 2011 at
The Next Generation OV-Chipkaart. by Pim Vullers

• Friday, 11th of February 2011 at
Recent Developments Regarding OV Chipcard Hacks. by Brenno de Winter

• Friday, 28th of January 2011 at
Practical Attacks on NFC Enabled Cell Phones. by Roel Verdult

• Friday, 14th of January 2011 at
Hacking a Fortune 500 Company in 30 Minutes. by Stan Hegt (KPMG)

• Friday, 7th of January 2011 at
Secure Building Blocks for Privacy Preserving Reputation Systems by Joeri de Ruiter

• Friday, 17th of December 2010 at
Zero Knowledge Protocols for Smart Energy. by Klaus Kursawe

• Friday, 26th of November 2010 at
TRECVID: Benchmarking Content Based Video Retrieval Technology. by Wessel Kraaij

• Friday, 12th of November 2010 at
God in the detail: formalizing deadlock-free routing theories for interconnection networks and its consequences. by Julien Schmaltz

• Friday, 5th of November 2010 at
PrETP: Privacy-Preserving Electronic Toll Pricing. by Josep Balasch

• Friday, 29th of October 2010 at
Identity-Based Encryption from Pairings and a Possible Application. by Maarten Jacobs

• Friday, 22nd of October 2010 at
Making Privacy Protection Real: U-Prove. by Gergely Alpar

• Friday, 15th of October 2010 at
Attributes on Identity Cards. by Bart Jacobs

• Friday, 8th of October 2010 at
More A5/1 Ramblings. by Ronny Wichers Schreur

• Friday, 1st of October 2010 at
A Brief Overview of the COSTA System. by Manuel Montenegro

• Friday, 24th of September 2010 at
Visit to BSI and German Biometric Passports. by Wojciech Mostowski

• Friday, 17th of September 2010 at
Modular Lightweight Semantics. by Ken Madlener

• Friday, 10th of September 2010 at
Type Classes for Mathematics in Type Theory. by Bas Spitters

• Friday, 3rd of September 2010 at
Dynamic Tool Programming. by Gerhard de Koning Gans

• Friday, 2nd of July 2010 at
Real-Time Specification for Java. by Wojciech Mostowski

• Friday, 25th of June 2010 at
Mirembe Reliability of the Ariadne protocol. by Drake Patrick

• Friday, 18th of June 2010 at
Traitor Tracing in Broadcast Networks. by Jeroen Doumen

• Friday, 11th of June 2010 at
A Security Analysis of OpenID 2.0. by Bart van Delft

• Friday, 4th of June 2010 at
Practical Side Channel Analysis and Fault Attacks. by Jasper van Woudenberg

• Friday, 28th of May 2010 at
Anonymous Credentials on a Java Card. by Pim Vullers

• Friday, 21st of May 2010 at
Quantum Cryptography by Jorik Mandemaker

• Friday, 19th of March 2010 at
Loop Bound Analysis for Real Time Java. by Olha Shkaravska

• Friday, 12th of March 2010 at
Attacking the Internet via the Browser. by Pieter Ceelen

• Friday, 26th of February 2010 at
Mobile PKI pilot @ SURFnet. by Francois Kooman

• Friday, 19th of February 2010 at
The logic behind Hex. by Leonard Lensink

• Friday, 12th of February 2010 at
Reasoning about pointers in object-oriented programs. by Alejandro Tamalet

• Friday, 5th of February 2010 at
EMV by Erik Poll

• Friday, 29th of January 2010 at
A5/1 - GSM Encryption Hacked (again?). by Peter van Rossum

• Friday, 22nd of January 2010 at
The XTR Cryptosystem. by Hugo Villafane

• Friday, 11th of December 2009 at
Practical Schemes For Privacy & Security Enhanced RFID. by Jaap-Henk Hoepman

• Friday, 4th of December 2009 at
Security and Common Criteria related talk. by Bartek Gedrojc (Fox-IT)

• Friday, 27th of November 2009 at
Research Challenges in Embedded Security. by Lejla Batina

• Friday, 13th of November 2009 at
Exact Verified Analysis. by Bas Spitters

• Friday, 30th of October 2009 at
Computing the Leakage of Information-Hiding Systems. by Miguel Andres

• Friday, 23rd of October 2009 at
Privacy in Light RFID. by Gerhard de Koning Gans

• Friday, 9th of October 2009 at
Basic Access Control (BAC). by Group discussion

• Friday, 2nd of October 2009 at
Formal Verification of a Core Module of a Storm Surge Barrier Control System. by Ken Madlener

• Friday, 25th of September 2009 at
Cycles in reduced RC4. by Ronny Wichers Schreur

• Friday, 18th of September 2009 at
Secure Ownership and Ownership Transfer in RFID Systems. by Pim Vullers

• Friday, 11th of September 2009 at
by Flavio Garcia

• Friday, 3rd of July 2009 at
Freak verification example. by Wojciech Mostowski

• Friday, 26th of June 2009 at
Efficient Distributed Private Matching. by Lukasz Chmielewski

• Friday, 19th of June 2009 at
On bilinear pairings on elliptic curves. by Bart Jacobs

• Friday, 5th of June 2009 at
David and Clarisse Hoevenaar: Safeberg backup security overview. by Stefan Hoevenaar

• Monday, 1st of June 2009 at
Using genetic algorithms in plant seed crossing. by Ken Madlener

• Tuesday, 12th of May 2009 at
Type-safe plugins based on Dynamics by Sjaak Smetsers

• Friday, 8th of May 2009 at
Detection of anonymous clones. by Wouter Teepe

• Friday, 3rd of April 2009 at
Enhanced Security Models for RFID. by Flavio Garcia

• Friday, 27th of March 2009 at
(Semi-)formal specifications for the e-passport. by Erik Poll

• Friday, 20th of March 2009 at
Polynomial solutions of non-linear recurrence equations. by Olha Shkaravska

• Friday, 13th of March 2009 at
Best Effort and Practice Activation Codes. by Gerhard de Koning Gans

• Friday, 6th of March 2009 at
Code generation for airstar's verified communication protocol. by Leonard Lensink

• Friday, 20th of February 2009 at
Implementing Zero-knowledge proofs on Java Card: Experiences and performance. by Hendrik Tews

• Friday, 6th of February 2009 at
Polynomial Size Complexity Analysis with Families of Piecewise Polynomial. by Alejandro Tamalet

• Friday, 30th of January 2009 at
Formalizing Cryptography. by Peter van Rossum

• Friday, 23rd of January 2009 at

• Friday, 16th of January 2009 at
PIN & PUK codes in electronic driving license by Erik Poll

• Friday, 5th of December 2008 at
Minimising Boolean Functions. by Ronny Wichers Schreur

• Friday, 14th of November 2008 at
Significant Diagnostic Counterexamples in Probabilistic Model Checking. by Miguel E. Andres

• Friday, 31st of October 2008 at
Quantum Logic. by Chris Heunen

• Friday, 24th of October 2008 at
A Structured Approach to Software Security Introducing the Extensible Security Architecture Description Format. by Ton van Opstal

• Friday, 17th of October 2008 at
Translation of Midlet navigation graphs into JML. by Wojciech Mostowski

• Friday, 26th of September 2008 at

• Friday, 19th of September 2008 at
JASON: A Generic Architecture for Secure Remote Management. by Lukasz Chmielewski

• Friday, 12th of September 2008 at
Road use Charging by Wiebren De Jong

• Friday, 5th of September 2008 at
Basis for OV-chip 2.0 by Bart Jacobs

• Friday, 29th of August 2008 at
Making the best of Mifare Classic by Wouter Teepe

• Friday, 22nd of August 2008 at
Implicit vs Explicit Information Flow, for Confidentiality vs Integrity by Erik Poll

• Friday, 4th of July 2008 at
An Efficient ID-Based Signature Scheme by Flavio Garcia

• Friday, 13th of June 2008 at
Checking bounds on output-on-input size dependencies for programs over lists by Olha Shkaravska

• Friday, 6th of June 2008 at
Multi-Level Security, 3.5 decades later by Erik Muller

• Friday, 30th of May 2008 at
Software Surgery by Sjaak Smetsers

• Friday, 18th of April 2008 at
Systematic Design of Service Oriented Architectures - A Categorical Approach by Benjamin Kanagwa

• Friday, 11th of April 2008 at
Verifying Design Patterns by Erik Poll

• Friday, 21st of March 2008 at
A Semantics for complex C++ data types: structures, unions, bitfields, possibly const and/or volatile by Hendrik Tews

• Friday, 7th of March 2008 at
Towards A Formal Semantics for C++ Types by Tjark Weber

• Friday, 29th of February 2008 at
Destructive Array Updates by Leonard Lensink

• Friday, 15th of February 2008 at
Frenzic analysis by Ronny Wichers Schreur

• Friday, 8th of February 2008 at
Non-malleable commitment schemes by Peter van Rossum

• Friday, 25th of January 2008 at
Extending Type System for Size Analysis to Algebraic Data Types by Alejandro Tamalet

• Friday, 30th of November 2007 at
How to specify iterators with separation logic by Christian Haack

• Friday, 23rd of November 2007 at
A security assessment of the NUON-Iskraemeco AMR-system by Engelbert Hubbers

• Friday, 16th of November 2007 at
Applying ideas of refinement to navigation graphs for MIDP applications by Jesus Ravelo

• Friday, 9th of November 2007 at
Encrypted Key Exchange: can we do it using symmetric ciphers? by Jaap-Henk Hoepman

• Friday, 2nd of November 2007 at
Conditional Probabilities over Probabilistic and Nondeterministic Systems by Miguel E. Andres

• Friday, 19th of October 2007 at