You are here: COSIC > Events

COSIC events

Collapse/Uncollapse all

PhD defense - Maarten Breckpot

10/07/2013
17:00
Aula van de 2e hoofdwet, Thermotechnisch Instituut

"Flood control of river systems with Model Predictive Control"

Maarten Breckpot (KU Leuven, Department of Electrical Engineering)

Abstract
This dissertation explores the applicability of Model Predictive Control (MPC) for the purpose of set-point control and flood control of river systems. The first part of this work discusses the modelling aspects of river systems. The dynamics of a single reach can be described with the well known hydrodynamic equations of de Saint-Venant. Combining these hyperbolic Partial Differential Equations (PDEs) for every reach, together with the nonlinear equations modelling the hydraulic structures and the boundary conditions related to junctions, mathematical models can be constructed for a wide range of river systems. However, these models are typically too complex to be used directly in the design of a controller. A new type of approximate model is proposed in this dissertation. A significant reduction in computational complexity with respect to using the full hydrodynamic model while still achieving accurate results can be obtained by approximating the dynamics of every reach with a linear model in combination with the nonlinear gate equations. Model reduction techniques can be used to further decrease the computational complexity.

The main part of this dissertation focuses on the design of the predictive controllers. The key ingredient is to work with the gate discharges as optimization variables instead of the gate openings. A linear approximate model is sufficiently accurate in this configuration and the resulting optimization problem is a Quadratic Programming problem (QP). It is explained how this controller can be used for set-point control and flood control at the same time and how it can recover the buffer capacity of the reservoirs in an efficient way. Attention is also paid to minimize the computation time needed to solve this QP at every time step by decreasing the number of optimization variables and the number of inequality constraints. The use of a Kalman filter as state estimator is also discussed. All closed loop simulations are performed with the full hydrodynamic models.

Besides some academic test examples, a mathematical model of the Demer based on real field data is used to test the performance of the proposed control scheme. It is discussed how the controller can deal with the irregular bed slope and the irregular cross sectional profiles of the river system without having to rely on nonlinear advanced control techniques. The performance of the predictive controller is tested for the historical rainfall data of the Demer for the flood event of 2002 on the full hydrodynamic model and compared with the control performance of the current controller installed. The proposed predictive control scheme reduces significantly the number and the magnitude of floods, leads to a better set-point tracking and recovers the buffer capacity in a faster way than the current controller.

Summer School on Design and Security of Cryptographic Functions, Algorithms and Devices

30/06/2013 - 5/07/2013
Albena, Bulgaria

The summer school on Design and Security of Cryptographic Functions, Algorithms and Devices will take place in Albena (Bulgaria) from 30 June - 5 July 2013

The summer school is jointly organized by COSIC, KU Leuven; Incidence Geometry Group, UGent; ETRO, VUB and the Institute of Mathematics and Informatics, Bulgarian Academy of Sciences.

The school aims at bringing together PhD students, postdoc researchers and security experts from industry interested in the following topics:

  • Boolean functions
  • Block ciphers
  • Hash functions
  • Differential and linear cryptanalysis
  • Implementation attacks
  • Fault injection attacks
  • Countermeasures
  • Leakage-resilient cryptography
  • White-box cryptography
  • Security of embedded systems

The school will be organized as follows:

  • 3 days of introductory lectures, including a half day with presentations by the participants in the school.
  • 2 days parallel sessions with more advanced lectures on (1) Design and Cryptanalysis of SK algorithms and (2) HW/SW Security

Third International Workshop on Cryptography, Robustness, and Provably Secure Schemes for Female Young Researchers (CrossFyre)

20/06/2013 - 21/06/2013
ESAT, Kasteelpark Arenberg 10, 3001 Leuven, Belgium

CrossFyre 2013 is a 1 ½ day event that will take place from June 20th to June 21th, 2013 in Leuven, Belgium. The program will be announced shortly. You are kindly invited to attend and give a short presentation of your research topic to your fellow participants.

The main purpose of this workshop is to bring female researchers in the field of Cryptography and Information Security together to promote their research topics and their careers as women in engineering. We hope to encourage a tighter cooperation between women in Cryptography and Information Security, and to motivate joint papers.

Though the workshop is primarily aimed at female researchers, male researchers are also invited to take part. We also welcome undergraduate students to this workshop and strongly encourage supervisors to support participation, be it passive (mainly listening) or active (all students are encouraged to submit abstracts and give talks during the workshop).

Download the PDF to see the Call for Papers.

Ph.D. Defence Nikolaos Mavrogiannopoulos - Secure Communications Protocols and the Protection of Cryptographic Keys

18/06/2013
14:00
Auditorium B, 00.24, Kasteelpark Arenberg 10, 3001 Heverlee

COSIC Course 2013

3/06/2013 - 6/06/2013
Leuven

Ph.D. Defence Kerem Varici - Design and Cryptanalysis of Symmetric Key Algorithms

22/05/2013
17:00
Aula van de Tweede Hoofdwet, 01.02, Kasteelpark Arenberg 41, 3001 Heverlee

Cosic Seminar: ALE: AES-Based Lightweight Authenticated Encryption - Elmar Tischhauser

22/05/2013
14:00 - 15:00
Aud. A - ESAT

ABSTRACT:
    We propose a new Authenticated Lightweight Encryption algorithm
    coined ALE. The basic operation of ALE is the AES round
    transformation and the AES-128 key schedule. ALE is an online
    single-pass authenticated encryption algorithm that supports
    optional associated data. Its security relies on using nonces. We
    provide an optimized low-area implementation of ALE in ASIC hardware
    and demonstrate that its area is about 2.5 kGE which is almost two
    times smaller than that of the lightweight implementations for
    AES-OCB and ASC-1 using the same lightweight AES engine. At the same
    time, it is at least 2.5 times more performant than the alternatives
    in their smallest implementations by requiring only about 4 AES
    rounds to both encrypt and authenticate a 128-bit data block for
    longer messages. When using the AES-NI instructions, ALE outperforms
    AES-GCM, AES-CCM and ASC-1 by a considerable margin, providing a
    throughput of 1.19 cpb close that of AES-OCB, which is a patented
    scheme. Its area- and time-efficiency in hardware as well as high
    performance in high-speed parallel software make ALE a promising
    all-around AEAD primitive.

Ph.D. Defence Bart Mennink - Provable Security of Cryptographic Hash Functions

7/05/2013
13:30
Auditorium Arenberg Castle, Kasteelpark Arenberg 1, 3001 Heverlee

Cryptographic hash functions form the basis of the security of today's digital environment, and find applications in numerous cryptographic systems such as tamper detection, key derivation functions, and digital signatures. Ideally, hash functions behave like a random oracle, a function that returns random outputs for each new input, but in practice such a construction does not exist. Usually, a hash function is designed to give strong confidence that it is indeed secure, and it is presumed secure until it is broken. In 2004-2005, cryptanalytic breakthroughs have raised doubts about the security of many widely employed hash functions, such as MD5 and SHA-1. As a response, in 2007 the US National Institute for Standards and Technology (NIST) announced a call for the design of a new SHA-3 hashing algorithm.

This dissertation deals with the fundamental security properties of hash functions. It is divided into two parts.

In the first part of the dissertation, we analyze existing hash functions and introduce design methodologies. We particularly search for the limits within the provable security framework, by considering minimalist designs with maximal security. Firstly, we look at double block length 3n-to-2n-bit compression functions based on block ciphers with an n-bit message and key space. We consider the MDC-4 hash function, and improve its collision and preimage security bounds. Next, we present a family of designs that make three cipher calls and achieve optimal collision security and very good preimage security. Furthermore, we consider the possibility of compression functions based on permutations, and provide a full security classification of all 2n-to-n-bit compression functions solely built of XOR operators and three permutations.

As a final contribution of this part, we propose the family of parazoa functions as a generalization of the sponge hash function design, and prove that parazoa functions are indifferentiable from a random oracle. The sponge is a popular hash function design and many derivatives, called sponge-like functions, appeared in literature. However, these sponge-like functions do not automatically enjoy the same security guarantees as the original sponge. Our generalized parazoa family applies to a wide class of sponge-like functions, and the indifferentiability proof for parazoa naturally carries over.

In the second part of the dissertation, we consider NIST's SHA-3 hash function competition from a provable security point of view. We provide a detailed survey of the five SHA-3 finalists, in which we analyze and compare their security guarantees. We consider collision, preimage, and second preimage resistance and indifferentiability of all finalists, and solve open problems where needed. 

Ph.D. Defence Alfredo Rial Duran - Privacy-Preserving E-Commerce Protocols

24/04/2013
17:00
Aula van de Tweede Hoofdwet, 01.02, Kasteelpark Arenberg 41, 3001 Heverlee

COSIC seminar: Javascript Crypto: W3C Web Cryptography API - Harry Halpin (W3C)

17/04/2013
14:30 - 15:30
ESAT 00.62

This talk will give an overview of the ongoing work by the W3C on a general purpose Javascript cryptography API in context of the larger desire to create trusted and encrypted cloud services with rich web applications. Today, cryptography is difficult to use and the Web is an insecure environment at best, but can this situation be improved and cryptography be put in the hands of ordinary developers and users? The W3C Web Cryptography API hopes to provide OpenSSL-like bindings for common cryptographic primitives, exposing as constant time functions the cryptographic code already in browsers via NSS and Windows Cryptography API. Currently, the latest draft of the spec is here:

https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html

This proposal is moving fast, and will likely be finalized by the end of 2013 and in all major browsers shortly thereafter, as browser vendors Google, Microsoft, Mozilla, Apple, and Opera are all on board. Thus, it will likely be the de-facto Javascript Crypto library. Thus, neutral feedback from the academic cryptographic community is needed at this stage before implementation and testing begins across browsers. I will also explain how to join the Working Group and submit formal reviews that the Working Group is required by process to respond to.

Open Issues Include (see complete list here: http://www.w3.org/2012/webcrypto/track/)

- Should the number of algorithms be fixed or should a registry be enabled to allow algorithms to be registered?
- Should "broken crypto" (SHA-1, PKCS #1 v1.15) be exposed for the sake of backwards compatibility?
- If so, how can per algorithm security considerations be taken into account?
- Currently pre-provisioned keys are dealt with in a separate specification (https://dvcs.w3.org/hg/webcrypto-keydiscovery/raw-file/tip/Overview.html) and there is no way to export keys. How can key import/export be done safely?
- Key storage is done using "structured clone" with a same-origin restriction, which is currently only
- Private Keys can be set to non-extractable, but it is unclear if this can be really enforced. Yet the other option, of creating
a separate private key store for browsers with its own lifetime, runs the risk of being a new kind of "supercokies" with attendant privacy risks.
- There is no easy-to-use "high-level" API such as KeyCzar, although there is a draft https://dvcs.w3.org/hg/webcrypto-highlevel/raw-file/tip/Overview.html . Is this worth pursuing?
- Microsoft has put forward a BigNum proposal to enable zero-knowledge proofs and blind signatures. However, this is viewed as revealing too much possibly unsafe functionality. Can it be done?

Bio:

Dr. Harry Halpin is the staff contact of the W3C Web Cryptography Working Group and a postdoctoral research associate at MIT. He received his Ph.D. in Informatics focused on machine-learning and information retrieval at the University of Edinburgh - he is not a cryptographer. He is also President of the LEAP Encryption Access Project (leap.se) that hopes to provide secure services to activists and co-ordinates W3C work with international bodies such as the OECD, IETF, and the like.  He is also a visiting researcher at IRI du Centre Pompidou, where he is working on a book providing an overview of the history of the Web.

COSIC seminar - Compressive Sampling, On-Focal Image Compression and Sub-Threshold Source Coupled Logic SRAM RNG - Milos Balac

12/04/2013
11:00 - 12:00
ESAT 00.62

Compressive Sampling is a new approach in acquiring and compressing signals. Today it is the focus of high number of researchers across the world. CS exploits the fact that signals are sparse or that they can be represented as such in some basis. Unlike the common techniques that are based on Nyquist-Shannon Sampling Theory it doesn't need the whole information on the signal in order to be able to compress it and later to reconstruct it, therefore it uses only small number of measurements when compared to the size of the signal.
In this work compressive sampling is used for on-focal image compression. Sensing functions used for acquiring images are made of random variables (e.g.. Bernoulli Matrix populated with -1 and +1 values with equal probability p=1/2). In order to generate the Bernoulli matrix an RNG was designed. Sub-Threshold Source Coupled Logic SRAM was designed as a TRNG. It uses thermal noise as a source of randomness to generate random bits on its output. However, after the fabrication introduces
process and mismatch variations, STSCL SRAM requires calibration. However, this can easily be done with a good self calibrating circuit.
Designed TRNG generates Bernoulli Matrix perfectly for this application. However, it was also tested with randomness tests in MATLAB and NIST test suit in order to see if there is a possibility of using it in cryptographic applications (further work on this subject is needed). The STSCL SRAM TRNG designed in 90nm technology can generate 5Mbits/s.

COSIC seminar - New Directions in Dividing: Le Fabuleux Destin d'MISTY1 (The Case of MISTY1) - Orr Dunkelman (University of Haifa)

28/03/2013
14:30 - 15:30
ESAT 00.62

MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan where it is an e-government standard, and is recognized internationally as a NESSIE-recommended cipher as well as an ISO standard and an RFC. Moreover, MISTY1 was selected to be the blueprint on top of which KASUMI, the GSM/3G block cipher, was based. Since its introduction, and especially in recent years, MISTY1 was subjected to extensive cryptanalytic efforts, which resulted in numerous attacks on its reduced variants. Most of these attacks aimed at maximizing the number of attacked rounds, and as a result, their complexities are highly impractical.

In this work we pursue another direction, by focusing on attacks with a practical time complexity. The best previously-known attacks with practical complexity against MISTY1 could break either 4 rounds (out of 8), or 5 rounds in a modified variant in which some of the $FL$ functions are removed. We present an attack on 5-round MISTY1 with all the FL functions present whose time complexity is 2^{38} encryptions. When the $FL$ functions are removed, we present a devastating related-key attack on the full 8-round variant, requiring only 2^{18} data and time.

While our attacks clearly do not compromise the security of the full MISTY1, they expose several weaknesses in MISTY1's components, and improve our understanding of its security. Moreover, future designs which rely on MISTY1 as their base, should take these issues into close consideration.

Joint work with Nathan Keller.

Ph.D. Defence Deniz Toz - Cryptanalysis of Hash Functions

21/03/2013
17:00
Aula van de Tweede Hoofdwet, 01.02, Kasteelpark Arenberg 41, 3001 Heverlee

This thesis deals with the analysis and design of cryptographic hash functions that are fundamental components of many cryptographic  applications such as digital signatures, authentication, key derivation, random number generation and many others. Due to this versality they are considered as the “Swiss army knives” of modern cryptology.

A hash function is a one-way mathematical function that takes a message 
of arbitrary length as input and produces an output of fixed (smaller) length. In recent years, several of the approved cryptographic hash functions which are generally inspired by MD4 have been successfully attacked, and serious attacks have been published against the world-wide standard SHA-1. In response, the National Institute of Standards and Technology (NIST) has opened a public competition to develop a new cryptographic hash algorithm, SHA-3, to replace the older SHA-1 and SHA-2 hash functions.

The first part of this thesis is focused on the analysis of the hash function JH, one of the finalists of this competition. We demonstrate attacks on JH showing that the algorithm is not as secure as claimed by its designer. We find a semi-free-start collision for the hash function and semi-free-start near- collisions for the compression function of reduced-round JH. Moreover, we present  distinguishers for the full internal permutation.

The second part of this thesis is focused on the design of hash functions. We propose a new family of sponge-based lightweight hash function called SPONGENT.  We first explain the design strategy of SPONGENT and then we present its security analysis by applying the most important state-of-the-art 
methods of cryptanalysis and by investigating their complexity.

COSIC seminar - Update on SHA-256 - Florian Mendel (TU Graz, IAIK)

19/03/2013
14:00 - 15:00
ESAT 00.62

Since the breakthrough results of Wang et al. hash functions have been the target in many cryptanalytic attacks. These attack have especially shown that several well-known and commonly used algorithms such as MD5 and SHA-1 can no longer be considered to be secure. As a consequence, more and more companies and organizations were migrating to SHA-256. Hence, a detailed analysis of this hash
function is needed to get a good view on its security. Although the design principles of SHA-256 are very similar to SHA-1, it is still unknown whether the collision attacks on MD5 and SHA-1 can be extended to SHA-256.

Previous collision attacks on SHA-256 are based on the same basic idea: extending a local collision over 9 steps to more steps, resulting in collision attack on up to 24 (out of 64) steps of SHA-256. However, as already pointed out by Indesteege et al. this kind of attack is unlikely to be extended to more steps.

In this talk we discuss recent advances in the cryptanalysis of SHA-256. In particular, we will show how to find local collisions for SHA-256 (for more than 9 steps) by exploiting the nonlinearity of both the state update and message expansion, resulting in the best known collision attacks on reduced
SHA-256. To find such local collisions an automated tool to search for complex differential characteristics was used. Using this tool we show a collision attack on 28 steps of the hash function with practical complexity. Furthermore, by using a two-block approach we are able to turn a collision for the compression function into a collision for the hash function reduced to 31 steps with a complexity of about $2^{65.5}$. Finally, we present a collision for 38 steps of the compression function with practical complexity. We have verified all our attacks by providing practical examples whenever this was possible.

Some of the results will be presented at EUROCRYPT 2013.

SecAppDev Course 2013

4/03/2013 - 8/03/2013
Faculty Club, Leuven

Ph.D. Defence Hirotaka Yoshida - Design and Analysis of Cryptographic Hash Functions

15/02/2013
17:00
Auditorium Kasteel, 01.07, Kasteelpark Arenberg 1, 3001 Heverlee

In our modern society, information and communication technology (ICT) is the basis for our daily lives. ICT covers anything that stores, retrieves, transmit or receive information electronically in a digital form. The Internet, Global System of Mobile (GSM) telecommunication, fiber-optic cables, wireless networks, supercomputers, and PCs are influential forms of ICT. The power of computers and communications has allowed systems using ICT to become important. In order for ICT systems to be reliable, security is a very relevant area for management to get right. To solve the security concerns, cryptographic applications can be used. Another important look at our society is that ubiquitous networking and computing have become reality in the course of just ten years. Lightweight devices such as mobile phones, IC cards, and RFID tags are being used at a large scale. Many things that one carries can even support a computation and communicationfunction. However, these lightweight devices have to cope with security problems. These problems in such devices have recently opened up an active research area called lightweight cryptography. The main challenge in this area is to design cryptographic primitives or protocols that should be implemented under restricted resources.Cryptographic hash functions play a very important role in the security of a wide variety of cryptographic applications. A cryptographic hash function is an algorithm that takes as input strings of arbitrary (typically very large) length and maps them to short output strings of fixed length. Since 2005, there has been substantial progress in cryptanalysis of widely-used hash functions such as MD5 and SHA-1. The SHA-2 hash function family was standardized by NIST in 2002. However, the SHA-2 design shares the same design principle of SHA-1, which might be considered a security concern. In response to the cryptanalysis of SHA-1, NIST started the SHA-3 competition in 2007. NIST selected 51 candidates to advance to the first round in 2008, and five SHA-3 finalists to advance to the final round in 2010. NIST finally selected Keccak as the winning algorithm in October 2012.

The research presented in this dissertation is closely related to the SHA-3 competition and to lightweight cryptography. Our first contribution is the design of two block cipher-based hash functions: the general purpose hash function Lesamnta and the lightweight hash function Lesamnta-LW. In the design of Lesamnta, the main question is whether we can design a new hash function that has advantages over SHA-2. We have tried to answer this question by designing Lesamnta that aims to offer clear arguments for a high security level and to achieve a high implementation flexibility on a broad range of platforms. Lesamnta was one of the first round candidates in the SHA-3 competition but it did not advance to the second round. In the design of Lesamnta-LW, we have tried to create a unique advantage over the previous lightweight primitives. As a result, it is software-oriented and mainly targeted to 8-bit processors while previous proposals are hardware-oriented.Our second contribution is a security analysis of hash functions. We have contributed actively to the security analysis of block-cipher based hash functions such as HAVAL, MAME, SHA-256, and Tiger. On the other hand, we have investigated the security of the second-round SHA-3 candidate Luffa. The main questions were how strong the diffusion layer is and how we can exploit the fact that no secret information is involved in the computation of a hash function. We have tried to answer to them by applying differential cryptanalysis with advanced optimization techniques to reduce the attack complexity. Our analysishas produced results which can be viewed as evidence for the security margin of these hash functions.

COSIC seminar - For Some Eyes Only: Protecting Online Information Sharing - Filipe Beato (KU Leuven)

14/02/2013
14:00 - 15:00
ESAT 02.58

End-users have become accustomed to the ease with which online systems allow them to exchange messages, pictures, and other files with colleagues, friends, and family. This convenience, however, sometimes comes at the expense of having their data be viewed by a number of unauthorized parties, such as hackers, advertisement companies, other users, or governmental agencies.
A number of systems have been proposed to protect data shared online; yet these solutions typically just shift trust to another third party server, are platform specific (e.g., work for Facebook only), or fail to hide that confidential communication is taking place. In this paper, we present a novel system that enables users to exchange data over any web-based sharing platform, while both keeping the communicated data confidential and hiding from a casual observer that an exchange of confidential data is taking place. We provide a proof-of-concept implementation of our system in the form of a publicly available Firefox plugin, and demonstrate the viability of our approach through a performance evaluation.

MobCom: Annual Workshop

6/02/2013
9:30 - 18:30
iMinds, Zuiderpoort Office Park, Gaston Crommenlaan 8, B-9050 Gent-Ledeberg


COSIC seminar - Gone in 360 Seconds: Hijacking with Hitag2 - Roel Verdult (Radboud University Nijmegen)

18/01/2013
13:30 - 14:30
ESAT 00.62

An electronic vehicle immobilizer is an anti-theft device which prevents the engine of the vehicle from starting unless the corresponding transponder is present. Such a transponder is a passive RFID tag which is embedded in the car key and wirelessly authenticates to the vehicle. It prevents a perpetrator from hot-wiring the vehicle or starting the car by forcing the mechanical lock. Having such an immobilizer is required by law in several countries. Hitag2, introduced in 1996, is currently the most widely used transponder in the car immobilizer industry. It is used by at least 34 car makes and fitted in more than 200 different car models. Hitag2 uses a proprietary stream cipher with 48-bit keys for authentication and confidentiality. This article reveals several weaknesses in the design of the cipher and presents three practical attacks that recover the secret key using only wireless communication. The most serious attack recovers the secret key from a car in less than six minutes using ordinary hardware. This attack allows an adversary to bypass the cryptographic authentication, leaving only the mechanical key as safeguard. This is even more sensitive on vehicles where the physical key has been replaced by a keyless entry system based on Hitag2. During our experiments we managed to recover the secret key and start the engine of many vehicles from various makes using our transponder emulating device. These experiments also revealed several implementation weaknesses in the immobilizer units.

COSIC seminar - Provable Security of Hash Functions - Reza Reyhanitabar (University of Wollongong, Australia)

4/01/2013
11:00 - 12:00
ESAT 00.62

In this seminar, after considering formalizations of different security notions for cryptographic hash functions and analysis of their relationships, we will proceed with reviewing three main categories of security proofs for hash functions: (1) provable security in idealized models, (2) provable security in the standard model, and (3) dual-model provable security. A hash function has dual-model provable security if it is simultaneously secure (in some specified sense such as collision resistance) in the standard model and provably pseudorandom oracle (PRO) in an idealized model. We will highlight several problems in regards to designing practical, provably secure hash functions.

Bio: Reza Reyhanitabar received his PhD in Computer Science from University of Wollongong (UOW) in Australia in 2010. He is currently a postdoctoral research fellow at the Centre for Computer and Information Security Research in UOW and a visiting fellow at COSIC in K.U. Leuven. His research interests are mainly in symmetric key cryptography with a focus on provable security of hash functions. He is a senior member of Australian Computer Society, and a member of Australian Information Security Association, Research Network for a Secure Australia, and IACR.

Ph.D. Defence Dries Schellekens - Design and Analysis of Trusted Computing Platforms

4/01/2013
13:30
AUDITORIUM KASTEEL, 01.07, Kasteelpark Arenberg 1, 3001 Heverlee