Abstracts
The Summer School on Applied Cryptographic Protocols 2010 is organized jointly by ECRYPT II and CASED and welcomes PhD students working in the area of applied cryptography and security protocols.
In the following you will find the abstracts of the summer school talks as listed in the program. PhD students will be further given an option to present their own research in the student track.
Sharing Sensitive Information with Privacy,
Gene Tsudik (UC Irvine, USA)
Modern society is increasingly dependent on, and fearful of, the availability of electronic information.
There are numerous realistic scenarios where sensitive data must be (sometimes reluctantly or suspiciously) shared between two or more entities without mutual trust.
As often happens, the research community has foreseen the need for mechanisms to enable limited (privacy-preserving) sharing of sensitive information and a number of effective (if not always efficient) solutions have been proposed. Among them, Private Set Intersection techniques are particularly appealing whenever two parties wish to compute an intersection of their respective sets of items without revealing to each other any other information.
This talk motivates the need for Private Set Intersection (PSI) techniques with various features and privacy properties and illustrates several concrete Private Set Intersection protocols that offer appreciably better efficiency than prior work. We also demonstrate their practicality via experimental results obtained from a prototype implementation and discuss a number of systems issues encountered in developing a toolkit that provides various flavors of PSI.
Security in Unattended Wireless Sensor Networks,
Gene Tsudik (UC
Irvine, USA)
Since late 1990-s, Wireless Sensor Networks (WSNs) have been an object of much attention, interest and hype in several research communities, including embedded systems, networking and security. Envisaged applications involve WSNs where nodes (sensors) collectively monitor/measure certain physical phenomena. Sensed data is then propagated to a centralized collection point -- referred to as a "sink" -- that usually also performs network management and control functions. The sink's constant presence and availability form a key part of WSN operation.
This talk will show that some emerging WSN scenarios preclude sink's constant presence.
Anticipated application domains include military, law enforcement, and critical infrastructure protection. In such settings, nodes must accumulate sensed data until it can be off-loaded to an itinerant sink. Unattended Wireless Sensor Networks (UWSNs) pose a number of new research issues. In particular, security challenges arise if the deployment environment is hostile and sensors are subject to compromise. Notably, the UWSN model motivates a new stealthy mobile adversary model. Absence of an on-line trusted sink coupled with the power of the new adversary, make prior security techniques ineffective in UWSN settings.
This talk will overview a number of potential threats posed by the UWSN adversary and sketch out some solutions that involve collaborative self-healing techniques.
Security of Internet Protocols I+II,
Kenny Paterson (Royal
Holloway, University of London, UK)
In these two talks I will discuss how symmetric key cryptography is used in Internet protocols such as IPsec, SSL/TLS and SSH. I will begin by covering basic security notions and constructions for symmetric key cryptographic primitives. I will then explain how these primitives are used in the different protocols, highlighting what the theoretical results do and do not tell us about security.
Identity and Attribute-Based Encryption I+II,
Benoit Libert (UCL
Crypto Group, Belgium)
The first part of this talk will give a history of identity-based encryption (IBE) schemes and some of their generalizations such as attribute-based encryption (ABE). It will mainly focus on pairing-based schemes in the standard model and their applications to chosen-ciphertext security. The second part will present recent advances that made it possible to prove full security in hierarchical IBE schemes (HIBE) with polynomially-many levels, attribute-based encryption as well as identity-based broadcast encryption with short ciphertexts.
Protocols for Secure Cloud Computing I+II,
Christian Cachin (IBM
Research Zurich, Switzerland)
The cloud delivery model for computing services offers cheap access to a variety of standardized services from various providers. But after outsourcing a service to the cloud, the owner no longer controls the platform on which the service runs. The user is bound to trust the cloud provider for correctness, privacy, and integrity of its data and computations. Cryptographic mechanisms can reduce such trust by allowing the user to protect its data and computations, as well as to verify aspects of remote computation.
This presentation introduces a number of primitives for securing cloud computing: (1) methods to protect the confidentiality, integrity, and reliability of remotely stored data accessed by a single client; (2) protocols to ensure that a group of multiple clients see consistent responses from a cloud service; (3) so-called "proof-of-storage" protocols to convince a client that its data is still available, without actually retrieving it; and (4) the replication-based approach to tolerate faulty service providers, applicable to arbitrary services, which is also known as "Byzantine fault-tolerance (BFT)".
Protocols for Multi-Party Computation I+II,
Berry Schoenmakers (TU
Eindhoven, Netherlands)
Secure multi-party computation (MPC) is one of the most fundamental problems in cryptography. At a high level, the problem is concerned with n parties, each holding a private input, that want to compute a function of those inputs so that each party learns its own output, but no other information is revealed, even in the presence of malicious parties that may deviate arbitrarily from the protocol. Given the arbitrary nature of the ``function'' and its far-reaching applicability – instances of MPC include e-voting, distributed auctions, contract signing, on-line bidding, etc. – the problem has been the subject of extensive research since its formulation by Goldreich, Micali and Wigderson more than two decades ago.
In this course, after a general introduction to the problem and overview of the techniques and approaches that enable MPC in the basic models of computation (cryptographic, unconditional), we will focus on efficient protocol constructions for a range of primitives and applications.
Hardware-Based Crypto-Protocols I+II,
Ahmad Sadeghi (Ruhr
University Bochum, Germany)
Cryptographic protocols allow collaborating securely without mutual trust and providing the basic technology for a wide range of privacy-preserving applications. However, even the simplest functionalities such as commitments, oblivious transfer, or set intersection require computationally expensive public key cryptography when implemented in software only, and their secure universal composition cannot be achieved without additional setup assumptions.
A recent line of research shows how trusted hardware tokens (e.g., smartcards) can be used to substantially improve the performance of cryptographic protocols, overcome known impossibility results, and to realize Trusted Computing functionality.
In our two lectures we consider special aspects of hardware-based cryptographic protocols: Motivated by applications we discuss different trust models and security goals, introduce the basics of Secure Function Evaluation (SFE), and go through some selected recent research results, whereby particular focus is devoted to the practical aspects of these protocols. Moreover, the lecture gives a short overview of the Trusted Computing initiative and protocols standardized by the Trusted Computing Group (TCG) based on the Trusted Platform Module (TPM).
Protocols for Securing Communication I+II,
Michel Abdalla (ENS
Paris, France)
Key exchange is one of the most useful tools in cryptography, allowing users to establish a common secret which they can then use in applications to achieve both privacy and authenticity. Among the examples of key exchange protocols, the most classical one is the Diffie-Hellman protocol, which allows any two parties to establish a common secret even in the presence of a passive adversary, which may be eavesdropping on the communication. To achieve security in the presence of active adversaries, several means of authentication have been proposed, most of them relying on either the existence of a public-key infrastructure (PKI) or the availability of pair-wise high-entropy secret keys. Unfortunately, due to the size of the secrets used to authenticate, the parties in this case have to either store their secrets on a secure device or use it from one machine only. One way to avoid this problem is to rely on short and easily memorizable secrets (a.k.a. passwords) for authentication.
In these lectures, I will consider the problem of designing 2-party and group authenticated key exchange protocols, both in the PKI and password-based settings. In particular, I will discuss the different security goals that one can consider in these settings as well as different ways of realizing these goals in the random-oracle and standard models.
Identification Protocols I+II,
Ivan Visconti (University of
Salerno, Italy)
Secure and privacy-preserving identification is an extremely successful research topic. It represents a major example of how cryptographic protocols can be used to solve practical real-world problems.
The content of these two lectures will include various security notions and protocols for secure and privacy preserving identification, addressing both theoretical and practical issues. Some specific examples of currently used protocols will be illustrated and discussed stressing their limitations and strong points.
Organizing Committee
Marc Fischlin, TU Darmstadt & CASEDAggelos Kiayias, University of Athens
Mark Manulis, TU Darmstadt & CASED